The cybersecurity underground is not stagnant. Attackers are continuously innovating to find new ways to make money and exploit any weaknesses available.
When we released the Black Market Report in March, the Armor Threat Resistance Unit (TRU) research team revealed the varying costs of personal data in the underground, as well as the thriving market for cybercrime-as-a-service. Throughout the first half of 2018 though, other trends have emerged. Most notably, the increasing interest attackers have in Internet-of-Things (IoT) devices and the explosion of cryptomining by threat actors.
Going after IoT
The power of IoT to enhance business operations and the experience of consumers is well known, so it should come as little surprise that attackers continue to look to exploiting these devices for their personal gain as well. The last several years have seen multiple examples of IoT botnets rise into prominence. The Mirai botnet, for example, was used in 2016 to launch powerful distributed denial-of-service (DDoS) attacks on a number of targets, shutting down popular websites such as Netflix, Twitter and Reddit. In that instance, the botnet was built using network devices such as routers and IP cameras.
In May, the FBI advised the public to reboot their routers in response to evidence that a group was using malware dubbed VPNFilter to engage in a worldwide campaign of exploitation targeting a variety of infrastructure devices from routers to firewalls to network-based intrusion detection systems. The goal of the attackers is unknown, though according to Cisco’s Talos research team, the VPNFilter malware contains components that allow for website credential theft and the monitoring of Modbus SCADA protocols. When the botnet’s existence was reported in May, it was believed to include at least 500,000 devices.
The number is large, but IoT often makes for an easy target. Many IoT devices are not created with cybersecurity in mind and include coding errors, or things such as guessable passwords providing a backdoor. In addition, some IoT devices run on their own proprietary OS not supported by antivirus tools. In certain industries, such as healthcare, attacks on connected devices such as infusion pumps and life support equipment can mean more than just downtime – it can potentially be a matter of life or death.
The rise of cryptomining
When it comes to cryptomining, the general public’s interest in cryptocurrencies driven by the sharp rise in cryptocurrency prices has led to a shift in focus from attackers. Gone are the days when Bitcoin was just something attackers used to pay one another. Now, it and other cryptocurrencies have become the end goal of hackers looking for new sources of income. Detected scanning activity over the last 6 months has indicated a noticeable shift from a broad spectrum of port scanning with a focus on remote access to attackers specifically looking for cryptocurrency client apps and their associated wallets ripe for the taking.
Occurring in parallel with wide spread crypto wallet and cryptocurrency exchange heists, cryptomining malware events and browser exploits have exploded in frequency as well. In and of itself, cryptomining is not illegal, in fact many companies turned to cryptomining scripts embedded in their web pages as a replacement for ad revenue lost to ad blockers. When it is performed by injected scripts or malware distributed via malicious tradecraft, however, it represents a form of resource hijacking that hinders and in some cases halts system performance. . In January for example, researchers at Trend Micro reported an attack campaign that leveraged Google’s DoubleClick ad network to serve cryptocurrency miners to web users in France, Spain, and other countries. The malicious ads were blocked once they were identified.
As always, part of staying safe requires staying vigilant and understanding the changing threat landscape. As the amount of connected devices becomes more prevalent, it is critical for organizations to know what devices they are employing, their primary function and how the operation of those devices impacts security and the rest of the network. Strict access controls and network segmentation are important pieces of the strategy for securing these devices. Networked IoT devices should be isolated to their vLANS and set up to allow only necessary communications. If the devices need to communicate over the internet, their communications should be protected by a firewall and monitored for anomalies.
Another critical part of protecting IoT devices is to keep up-to-date. If possible perform manual updates by directly interacting with the device from a single-function device, such as a laptop that is only used for performing IoT updates and never connects to the internet. If it is not feasible to manually update, don’t allow the devices to pull updates from the internet. Instead, download the updates and scan them for viruses on isolated devices before pushing them to devices over the network or adding them to an internal, centralized, secured repository that devices are configured to get updates from.
Crypto miners delivered by threat actors will often be noisy, in the sense that they will trigger alerts due to their unusual resource utilization. Most attackers focus on quantity over quality, meaning they will use an automated tool to identify as many vulnerable internet-connected devices as possible to drop crypto miners on. The threat actors who take the extra time to configure their crypto miners to operate under the radar are more difficult to detect. However, in either case, the one thing that all crypto miners do is communicate with mining pools, which allow crypto-mining machines to pool their resources in order to mine faster. Organizations that do not want mining on their networks can monitor and block DNS resolutions for known crypto-mining pools. Since many mining pools are behind content delivery networks, preventing organizations from seeing the actual IP address of the mining pool server, blocking the domains is more effective than focusing on blocking IP addresses.
At the host level, many antiviruses will detect and respond to known crypto miner executable files, so keep antivirus solutions up-to-date. Using the principle of least privilege to control the installation of applications can also prevent the download of crypto miners. When it comes to browsers being exploited, browser vendors are taking steps to help users detect browser exploits using domain reputation, and browser extensions/plug-ins that detect script activity.
Smart security is driven by threat intelligence, and at Armor, we will continue to keep track of the activities in the cyber underground.