CyberWire Daily - Cryptojacking criminal capers continue. [Research Saturday]
Episode Date: October 6, 2018Researchers at Palo Alto Networks' Unit 42 have been tracking the rise of cryptocurrency mining operations run by criminal groups around the world. Ryan Olson is V.P. of threat intelligence at Palo Al...to Networks, and he joins us to share what they've learned. The original research can be found here: https://researchcenter.paloaltonetworks.com/2018/06/unit42-rise-cryptocurrency-miners/ Â Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
So we've seen attacks that involved cryptocurrency mining since basically the beginning of cryptocurrency mining.
That's Ryan Olson. He's the vice president of threat intelligence for Palo Alto Network's Unit 42.
The research we're discussing today is titled The Rise of the Cryptocurrency Miners.
It was originally authored by Josh Grunswig.
People would try to install a miner, a program that actually performed all the cryptocurrency mining calculations on somebody else's computer to make use of their CPU power.
But they weren't very common until around late last year, sort of the end of 2017 and the beginning of 2018, when we started to see this big rise.
and the beginning of 2018 were when we started to see this big rise. And it was really pretty well aligned with the rise of Bitcoin and other cryptocurrency prices at that time.
In November of last year, Bitcoin was shooting up close to $20,000 per coin,
and other cryptocurrencies were rising right along with it. And as those prices rose,
we started seeing attackers who had previously been launching a lot of ransomware attacks,
other things that they could use to sort of make money in a large, wide-scale attack,
shift to instead installing programs that would mine cryptocurrency.
And then we started seeing more of that adoption throughout 2018.
And we're still seeing quite a bit of it today.
Even though the prices have come down quite a bit from where they were late last year,
they're still a lot higher than they were two or three years ago. And it's still very profitable for them to mine cryptocurrency,
not necessarily Bitcoin, other coins, especially a big one that's called Monero,
mining that rather than launching other kinds of attacks.
So let's, again, you know, just sort of addressing the basics here. When we say that someone
is crypto jacking and crypto mining, what are we talking about?
So when it comes to the way most cryptocurrencies work, they rely on these things called blockchains.
And the way the blockchains operate is it's a distributed ledger. And every time someone
wants to transfer some part of the coin to another part of the coin, some calculations
have to be performed as this proof of work to confirm that this was actually a legitimate
transaction. And that's what we call mining.
And the reason we call it mining is through the process of running all those calculations,
there's a reward at the end.
The first person who solves that little mathematical problem correctly first,
they get some of the cryptocurrency as a reward.
So they might get Bitcoin, they might get Monero,
just depending on who they're actually mining for.
And because of this, there's huge server farms around the world
that are mining all these different kinds of cryptocurrency. And they're using both regular
CPUs, like the kind in your computer, as well as specialized hardware to do this as fast as
possible because they want to win the race. And what we've seen from an attacker's perspective
is people trying to co-opt your CPU or your GPU in some cases to make use of that
processing power to mine coins on their behalf so that they can get that reward rather than
somebody else. And so can you describe to us what are the range of ways that they would
get on my computer or attack my enterprise's system to be able to do this sort of thing?
So there's really two primary ways that we see what I would refer to as illicit crypto mining. You could call it crypto jacking, but sometimes that gets confused
with stealing cryptocurrency from other people, but sort of the illicit process of mining coins.
And one is through your browser, and the other one is by hijacking your computer with malware.
So the browser-based ones are relatively straightforward. Someone inserts some
JavaScript into a webpage, and when
you're visiting that webpage, in the background, you don't see it visibly. There is cryptocurrency
being mined. Your CPU is being used just by your browser to try and mine cryptocurrency.
And this was originally started as a way for people to make money off of views to their website
that didn't require them selling ads. It sort of made sense. You loan a little bit of your CPU power while you're visiting
someone's website. If they tell you about it, that's totally okay.
They can say, we're not going to show you any ads, but we're going to use a little bit of your CPU
time while you're on our page. And if it's done up front like that, then it's okay.
But we saw a lot of injections of JavaScript into pages
without people's knowledge. It was
really just stealing their CPU time, which means their power, as well as wear and tear on their
computer to generate currency for other people. So JavaScript crypto mining, that's one sort of
big category that we see. The other one is what I'd say is executable-based crypto mining, where
the same way that someone would infect your computer with a piece of malware, be it ransomware or a banking trojan or something else, they use the same techniques,
but the eventual payload, the thing that's actually going to do something on your computer,
instead just mines cryptocurrency. And it mines it on behalf of the attacker so that they can
make money. Those are our two big categories. Let's dig into some of the research that you
did here. You identified a high number of unique samples of cryptocurrency miners.
Can you take us through what you found?
Yeah, so Palo Alto Networks operates a very big platform, a security platform to defend all of our customers.
And one component of that collects malicious executable files.
When they're passing through our firewalls or they're running on hosts that have our agent installed on them, we can look at them and determine if they're malicious or if
they're legitimate files. And late last year, we started seeing an uptick in the ones that were
performing these cryptocurrency mining activities. So we started digging into them more closely
and trying to understand sort of some stats related to them. How common are they? Which
currencies are being mined the most? And really, how big of an impact is this? And what we found was they were very common. We were starting to
see them displace a lot of the ransomware attacks that we'd been seeing since 2013 forward.
And the currency we saw most commonly mined is called Monero. And that's for a few different
reasons. Monero has a couple, there's tons of cryptocurrencies out there, hundreds of them.
Only a few of them have enough popularity that they have a lot of value, but Monero has a couple, there's tons of cryptocurrencies out there, hundreds of them. Only a few of them have, you know, enough popularity that they have a lot of value,
but Monero is one of them.
And the reason that it has value, people are interested in it, is it has a couple interesting
properties.
One is Monero is a closed blockchain, which makes it so with Bitcoin as an open blockchain,
you can see every single transaction.
I can know that one wallet transferred, you know, part of a coin to another wallet. I don't know who owns those wallets necessarily, but if I own one of them
and I know who owns the other one, I can see all the transactions related to them. Monero is closed,
so you can't actually go and see how those transactions operate. They've built it with
privacy in mind. That was the goal. The second thing is that Monero was designed so that the
calculations that you have to perform to mine the
coins are very hard to build into specialized mining equipment like an ASIC or special hardware.
So instead, Monero is very effective to be mined on the regular Intel CPU that's inside your laptop.
And because of those two things together, you have a currency that's very privacy focused. So
if someone does get coins that were mined illicitly, it's harder for someone to track down who actually owns them.
And second, they can actually mine them on CPUs you can infect and actually make good money.
Made it by far the most popular cryptocurrency that we're seeing mined today, much more than Bitcoin.
Now, you did some interesting detective work when it comes to digging up some of these Monero statistics.
Despite it being privacy-based or privacy-focused, I suppose, you were able to still figure some things out.
Yeah. So first, I'd like to say that the researcher behind all this, his name is Josh Grunzwig.
He's a member of Unit 42 at Palo Alto Networks, and he did all of this digging, and it was fantastic work.
And what Josh figured out was, and this is relatively straightforward, but even though
the wallets are secretive, you can't see the transactions from wallet to wallet, the way
that the mining system works is that people mine all these computers together into what's
called pools, pools of miners who are all working together.
And the reason for that is, if you were to just run a
single computer and you're trying to mine the next block in the blockchain for Monero, the chance of
you being successful is extremely low on a single computer because there's so many other computers
that are competing. And it's just one system that actually gets the reward. And those rewards only
come out every few minutes. So you could spend a lot of time and a lot of power and not get anything.
every few minutes. So you could spend a lot of time and a lot of power and not get anything.
So instead, people combine together into what we call mining pools. So if you get, let's say,
10,000 computers all together into a mining pool, and you're all working together and you agree that based off of the amount of calculations that you performed, you're going to split the reward
evenly across your pool, then you can get a much more consistent return. So what the people who are running these illicit cryptocurrency mining attacks were doing is
actually working inside these pools, which means if you can find information from the
pool, you can say, look at the malware and see which pool it's working with and look
at the identification number that's actually coming in the miner.
It has to tell the pool, hey, I'm this ID number, so that it can actually get credit for its mining operations, we can actually find out from the pool
how successful each of those miners was. So we would go and look at all the executables that
we saw coming in through our platform, look at the cryptocurrency mining pool they were using,
look at the IDs that were being used by those individual miners, and then extract out how much
had they actually mined, how much had they made, which is how we're able to determine the total number of
XMR. That's the term that we use for Monero. The Monero coins were attributed to those miners and
to get basic ideas about the value of those coins as well. And it's not a small number.
Take us through, what are the total XMRs and what does that add up to in terms of dollars?
Yeah. So, I mean, the price of the cryptocurrencies vary over time. Back when we were first
calculating all of this, this was in May, we'd seen the total value of all the XMR was about
143 million US dollars. This was about 800,000 or so XMR that had been mined at that point.
US dollars. This was about 800,000 or so XMR that had been mined at that point.
And the value of the currency was around $180. The price is a little bit lower now, but it's actually about half what it was at that time because Monero has seen a drop off along with
Bitcoin and some other coins. But no matter what, we're talking about tens of millions of dollars.
And if they actually exchanged their Monero at that time for US dollars, then they made that
money and they've got it in another
kind of currency, which might not have lost as much value. Now, what is your sense for what kind
of margins they might be running at? I mean, is this obviously it's profitable enough that they're
doing it, but do you have any sense there? We don't know exactly what their costs are.
Generally, we think about cryptocurrency mining margins. We're thinking about you've got to buy
hardware and then you've got to power that hardware and cool it and everything else. So that for mining
Bitcoin, there's a lot of expense in that. In this case, they are stealing other people's power and
their hardware. So they're using somebody else's laptop, somebody else's server, whatever it is
that they were able to infect. And because of that, their cost is really more of an opportunity
cost of what could I have done with that compromised computer as an alternative to
mining Monero. So if we think about it as a ransomware attacker, previously, they would
have held that computer for ransom and said, you know, you need to pay us $500 in Bitcoin or
possibly another cryptocurrency. And if you don't, you won't give you your files
back. They probably could have got $500 in a small fraction of the total number infections.
Not everyone pays. Some people have backups. Some people just can't get the currency to pay
for whatever reason. So there's some fraction of that $500 per system. So they have to do that
calculation of what would my return have been on a host if I could have used it for an alternative purpose like ransomware compared to running this miner for a certain amount of time.
And that involves how do I keep my miner on the host as long as possible and keep it stealthy?
Because if it only mines for five minutes, you're not going to make very much money.
If it mines for a year, that could be a really big payoff for the attacker compared to what they might have made on the same host for ransomware. And second thing to consider when it comes to that
ROI calculation compared to the trade-off is, where is this computer located? And this is
something that I think is most advantageous for the crypto miners right now. If you infect a
computer with ransomware, and let's say it's in Bangladesh, you might infect a computer
that the person who owns it might not have enough money to pay a ransom. They might not have any
data on it that's really worthwhile that they are willing to pay for. But if you infect it with a
crypto miner, it's the same computer. It still runs at the same clock rate as that computer in
another place in the world, no matter who owns it and what kind of data is on it.
Which means from an indiscriminate attack perspective, sort of just targeting as many systems as possible, you can be really effective with crypto mining.
And you just might not be as effective with ransomware.
With ransomware, you've got to make sure you target the language correctly.
You've got to make sure the person is capable of understanding the message of, hey, we're holding your files for ransom.
You've got to make sure that they also then have money and are able to pay it up. And all of that has a cost associated with it,
either time or just sort of wasted infections, basically. So some attackers might be starting to choose, hey, if I know that the system that I'm going to infect is in a certain location or
of a certain type, maybe I install a miner on that and I'll focus my ransomware efforts in
places where people are more likely to pay up. It seems that the cryptocurrency mining is more of a
nuisance problem rather than the catastrophic problem that ransomware can be. Absolutely.
If I have the cryptocurrency running on my system, I might not even know and it's not going to be the
bad day that the ransomware attack is going to be. It's not going to attract my system. I might not even know. And it's not going to be the bad day that the
ransomware attack is going to be. It's not going to attract my attention. I'm not going to call
law enforcement. Yeah. And that decreases the risk of running that attack. If you don't experience
and if the victim doesn't experience the impact or it's not an impact that they can relay to law
enforcement and tell them what their actual cost was, it's much less likely that law enforcement
is going to be able to go and pursue them, arrest them, put them in jail. And that's one of the big risks of criminal activity.
And if you think about the history of attacks, this isn't really new. Ransomware is really one
of the first malware, which is really now sort of attack classes, which is really in your face.
Like shut your business down causes you immediate impact. If it was a banking Trojan that was,
you know was stealing your
credit card number when you logged into a website or when you went to go purchase something,
you don't feel that impact right away. You feel that impact shortly after when someone buys
something and maybe you have to get your money returned or maybe you're actually out the money,
but it's a different kind of impact. If you go back even further to the days of where we saw
ransom or excuse me, adware on a very frequent basis, it's much less
common now. You know, that's the same kind of nuisance. It's annoying you. It is more in your
face, but you're just basically seeing ads. You're getting pop-ups, maybe your computer's sending out
spam. It's sort of an impact that's behind the scenes. So I'd say what we're really seeing is
sort of a return to the more stealthy attacks. And in this case, one that really has the least
impact to the individual victim with a really high payoff still available for the attacker. Now, what are you all seeing
in terms of the trend lines on this? Is it business as usual for these folks? Are they
increasing or have people been able to effectively keep them out of their systems? You know, it's not
that hard to keep these miners out of your system. So if you think about how it's being delivered, and I didn't really talk about that before,
but the malware-based ones, the ones that are an executable running on your system,
they're really being installed through the exact same means as ransomware and previous
attacks, mostly through an email that you receive.
That email typically has an attachment.
The attachment might be an executable or it could be a Word document, which then runs
an executable.
But it's the same delivery mechanism that we would see for all these other threats. So from a
security perspective, the things that you're doing to prevent a ransomware infection or a
banking charge infection, very similar to what you would do to prevent a crypto mining infiltration
into your network. But we are still seeing it happen. And we're seeing the attackers sort of
get more creative as well. Something that we looked into earlier this year were attacks against
cloud-based systems, where an organization has access to cloud-based systems where they can
spin up a virtual machine and run it for a period of time, and they just pay per minute or per hour
for their CPU time. Attackers who'd access their API keys to be able to spin up these machines
and to do so just to run
cryptocurrency miners on them,
which can be really effective.
And it could lead to a really big bill
for the person whose API key was stolen.
But for the attacker,
they get some really powerful
virtual machines that can run
for a little while
and generate some possible currency for them.
And in those cases,
that's a much more specialized attack.
That's not just the general sort of indiscriminate attacks that we normally see installing ransomware
and now these other crypto miners. That's much more targeted at a specific organization where
you know they've got that capacity available through whoever their public cloud provider is.
Do you suppose we might see some policy moves to try to address this? I mean,
this money is going to Monero. Do you think we might
see governments around the world say, hey, we appreciate this level of privacy here, but
knock it off? You know, policies around cryptocurrencies in general have been
in flux since the original implementation and introduction of Bitcoin. Different governments
have tried to close them off. Some have done that successfully, or at least somewhat successfully. But it's really hard to put
these genies back in any kind of bottle. Because the systems are distributed, it's much harder to
sort of cut them off. There isn't a central authority that you can go to and just say,
hey, you need to really quit doing this. They have to take other actions to stop the people
who are using it in their country from doing certain things, making potentially transactions or something else illegal.
So I wouldn't expect to see a single currency like Monero targeted right away.
But I can certainly see some attempts at policy changes that might make it harder for much more likely for legitimate users who are trying to use these currencies than for the criminals who are generally not going to pay attention to the law anyway. Just because it's illegal, they wouldn't be doing this
anyway if they were concerned about the fact that it was illegal in the first place.
No, that's a really good point. Good insight.
So two more things I'll just say on preventing your organization from being impacted by
illicit cryptocurrency mining. So generally, the way
that people find out about the fact that they have a miner on their computer is that their CPU
is running really high. Their fans are on a lot more commonly, or their computer just feels
sluggish. And I would say to anyone who is experiencing that, it might feel normal,
but it might be worth checking to see, do you have a tab open that's on a webpage,
which is using a lot of CPU time?
Maybe just close your browser and see if that goes away.
And run an antivirus scan to see if your system is infected.
Those are things that you might want to do just because you're experiencing that high CPU time.
And the other thing that especially enterprises can do is, if you don't want people mining currency inside your network, you should block the pools.
mining currency inside your network, you should block the pools. So the way that the pooling system works for these miners is you have to access certain resources, certain domains,
certain URLs for those pools. Blocking access to those is a great way to sort of cut off access
to those hosts inside your network, which would prevent the miners from operating.
You might still get an infection, but they won't use the same CPU time because they won't actually
be able to report the fact that they are doing these calculations. One thing I've heard is that the miners have
been evolving their code over time, for example, to perhaps not use 100% of your CPU activity,
to try to not have those fans spin up all the time, try to stay below the radar a little bit.
Yeah, we've seen that in a couple cases. So we've seen some miners that are configured to use a much smaller portion of your
CPU, maybe 40%, which won't push you up to that level of, hey, let's overheat and kick on our
fans. And we've also seen miners that will look for a system that's not in heavy use right now.
So it'll wait until maybe your screensaver kicks on, or maybe the mouse hasn't moved for a little
while. And when that's happening, that's when they mine. And when it comes back to an active state where they know
a person's using the computer, shut the miner off so that they're not found. Because an infection
of a cryptocurrency miner that lasts for a year is much more valuable than one that gets found
out in five minutes and gets shut off because you are a little too greedy.
you are a little too greedy. Our thanks to Ryan Olson from Palo Alto Network's Unit 42 for once again joining us. The research is titled The Rise of the Cryptocurrency Miners. We'll have a link
for the show notes. You can also find it on the Unit 42 blog.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
company safe and compliant.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and
technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Thanks for listening.