When we summed up the results of 2017 and made a forecast for the next year, we predicted that cryptojackers, which blossomed in 2017, would disappear, and new sophisticated cyberthreats – cryptocurrency miners – would take their place. And now our latest research shows that not only have the miners “lived up to expectations,” but they have reached a new level.
Thus, over the past 6 months, cybercriminals have earned more than $7 million through the implementation of mining software. We will tell you how miners function on users’ computers, why they have now become a major cyber-threat (especially for businesses) and how to protect yourself from them.
The heyday of mining
In 2017, as bitcoin and altcoin (alternative cryptocurrencies to bitcoin) rose hundreds of times over previous years, it became obvious that owning tokens (which can be converted into real money) is unusually profitable. Especially attractive is the fact that, unlike real money, anyone can issue digital currency on their own, completing the blockchain using mathematical calculations and being rewarded for it (you can learn more about how the blockchain works here).
According to the rules of mining pools, more tokens go to whoever can make more calculations. The only problem that cryptocurrency mining has to solve: the more calculations you want to produce, the more processing power you have to use and the more expensive electricity you consume.
And that is where cybercriminals, whose main goal is to make more money by using Internet technology, grabbed the idea of mining using the processing power of other people’s computers. So that one or more computers do the necessary calculations, and their owners or administrators do not know about it as long as possible. For obvious reasons cybercriminals especially like to use large corporate networks of hundreds of computers for this purpose.
And it is an idea they are increasingly successfully pursuing. By now, more than 2.7 million users around the world have been attacked by “malicious miners” – more than 1.5 times the number in 2016 – and the number continues to grow. We’ll tell you about the technologies used by attackers below.
The Hidden Threat
The first method bears all the hallmarks of the technologies used in the ongoing advanced sophistication attacks (APTs) that cybercriminals have used extensively for large-scale ransomware campaigns until recently. Now the same techniques – such as attacks using the infamous EternalBlue exploit – are used to distribute hidden miners.
Another way to install a hidden miner on a user’s computer is to convince them to download the dropper themselves, which then downloads the miner. Usually the user is lured into downloading the dropper by disguising it as an advertisement or a free version of a paid product, or by phishing.
After downloading, the dropper launches on the computer and installs the actual miner as well as a special utility that masks the miner in the system. Services can be bundled with the program to ensure its autorun and customize its operation: for example, they can determine how much computing power the miner can use, depending on what other programs are running on the computer, so as not to slow down the system or make the user suspicious.
Another function of the services is to prevent the user from stopping the miner. If the user detects it and tries to disable it, the computer will simply restart, and after the restart, the miner will continue to run. Interestingly, most hidden miners rely on the code of regular, perfectly legitimate miners, which makes them even harder to detect.
There is another way to illegally mine tokens: web mining, or browser mining. It is made possible if a website administrator embeds a mining script that begins to run when the victim logs into the site. However, the same can also be done by an intruder if he somehow gains access to the site’s management. While the user is on the site, his computer works on building blocks, and the person who installed the script profits.
How can businesses protect their devices from miners?
Thanks to sophisticated attack technologies and the difficulty of detection, cybercriminals have been able to create real botnets of victim computers and use them for hidden mining. Of course, a business infrastructure with a lot of processing power is a tidbit for criminals. Your business devices can also be at risk. Therefore, we recommend taking the following measures to protect your business:
- Install security solutions on all computers and servers in use to prevent attackers from having a chance to settle inside your infrastructure;
- regularly audit your corporate network to look for anomalies;
- take a look periodically at your task scheduler which may be used by attackers to launch malicious processes;
- Pay attention to highly specialized devices such as electronic queue boards, POS terminals, and even vending machines. As the story of the EternalBlue exploit miner shows, all of this equipment can potentially earn cryptocurrency for someone by consuming a lot of electricity;
- Use Default Deny mode on highly specialized devices to protect them not only from miners, but from many other threats as well. Default Deny mode can be set up with the help of our Kaspersky Endpoint Security for Business solution.