Enslaved As Miner Against Your Will? Recent Malware Attacks May Have Your Systems Mining Crypto Without Your Knowledge
In the past few months, HLC has been noting a decided uptick in one type of malware: crypto currency mining. While our solutions have prevented these infections, the malware is often embedded into .png picture files, making it appear all the more innocuous to the user who is inadvertently infected.
Since the introduction of Bitcoin in 2009, the popularity and adoption of cryptocurrencies as an asset class has grown at a rapid pace. Once reserved for black market activity, hobbyists, mathematicians, and computer geeks, cryptocurrency is now becoming a global topic of interest with a market capitalization of ~$400 billion and continuing to rise with Initial Coin Offerings (ICO) to further fund the development of projects related to cryptocurrencies. Unfortunately, the anonymity provided by digital currencies has become quickly abused for illegal extortion, as was the case during the various ransomware outbreaks we’ve witnessed in the last few years. As the value of cryptocurrencies has increased significantly, a new kind of threat has become mainstream and replaced ransomware extortion: cryptocurrency mining malware. Malware creators target outside computing power because the price of a dedicated cryptocurrency mining machine easily exceeds thousands of dollars. The emergence of cryptocurrencies that can be mined by average computers has attracted malware creators and has contributed to the widespread abuse we are witnessing globally.
What Is Crypto Mining and How Do You Get Infected?
Cryptocurrency mining is a record-keeping service that is done using computer processing power. Transactions are recorded in blockchains, which function as a public ledger. The consistency and completeness of the blockchain is maintained in an unalterable state by miners, who repeatedly verify and collect newly broadcast transactions, called blocks. Cryptocurrency mining malware comes in many forms, for many different operating system and application platforms, but the common theme among all of them is threat actors leveraging the computing power of as many compromised devices to maximize cryptocurrency mining profitability. It is critically important for the malware creator that the cryptocurrency mining malware infects as many systems as possible, to control a larger pool of CPU resources for mining. Let’s investigate the numerous common malware delivery methods for cryptocurrency mining.
The Wannacry ransomware, a highly publicized malware, exploits the leaked EternalBlue and DoublePulsar vulnerabilities and was modified to by different malware groups to leverage the same vulnerabilities to infect hundreds of thousands of Windows servers with a cryptocurrency miner, ultimately generating millions of dollars in revenue. Other vulnerabilities, such as a flaw with Oracle’s WebLogic Server (CVE-2017-10271), were also used to deliver miners onto servers at universities and research institutions. Servers are a favorite among malware creators because they offer the highest hash rate to solve the mathematical operations required by cryptomining. Existing malware families like Trickbot, which is distributed via malicious spam attachments, added a cryptocurrency miner module to its payload. Another commonly used malware delivery method is fake software patches for highly publicized vulnerabilities such as Spectre and Meltdown. The favorite malware group is SmokeLoader and cryptocurrency miners have become the most commonly installed malware payloads.
Indicators of Compromise: Identifying Infection
There are 3 common IoC (Indicators of Compromise) on every infected victim’s device.
First, for cryptocurrency mining to occur, the malware runs background processes on the infected host that results in the significant over-usage of its resources, and subsequently its performance slows down significantly. Common symptoms are an overheating system due to constant CPU & GPU over usage, drastic system performance degradation, and hardware malfunction. Open a resource monitor on your computer to check if CPU usage is abnormally high; on a Mac that’s Activity Monitor, and on Windows it’s Task Manager. Additionally, the worst part is that there is no residual file, also known as fileless malware, meaning it is very difficult to detect and impossible for standard signature based anti-malware software. What is fileless malware? Just as the name suggests, fileless malware is a variant of a malicious code which affects your system without leaving an installed file on the victim’ s device. Fileless malware is written directly into the device’s working memory, RAM. You may think a simple reboot will remove the malware, however, the malware code is also injected into commonly running processes such as service.exe, chrome.exe, to sustain life after each reboot.
Second, in order to achieve maximum profitability mining cryptocurrency, malware must connect to a C&C (command & control) server to download the cryptocurrency mining software and execute without leaving a file. Most importantly, the malware must add the compromised host to a mining pool network. This abnormal network traffic is a common identification method to confirm you’re a victim of cryptocurrency mining malware. All mining software must be able to connect to either the cryptocurrency network or a mining pool to exchange data, in other words its proof-of-work. Without this connection, it cannot get the data it needs to generate hashes, rendering it useless. Malware creators will add network rules to block the ports associated with exploited vulnerability to close the proverbial door behind it for other potential attacks. This is done to keep the infected system to itself and close it off to any other malware targeting the same vulnerability. Not only are malware creators mischievous, but apparently greedy.
Third, websites have become the biggest culprits of cryptocurrency mining campaigns, specifically CoinHive and its derivatives. Coinhive is a cryptocurrency mining service that relies on a small chunk of computer code designed to be installed on Web sites. The code utilizes all of the computing power of any browser that visits the site in question, enlisting the machine in a bid to mine cryptocurrency. Coinhive is pitched as a way for website owners to earn an income without running intrusive or annoying advertisements. However, Coinhive’s code has emerged as the top malware threat because the code is installed on victimized websites. If you surf to a particular website without additional browser tabs, no other applications running and notice a huge spike in CPU usage while on that website, then it is likely running a cryptocurrency mining campaign such as CoinHive unbenounced to its visitors. Commonly, cryptocurrency mining malware will automate and force the visitation of these particular websites in foreground and background browser tabs to generate cryptocurrency revenue.
By now, you’ve learned that cryptocurrency mining malware is something you want to avoid. How do you avoid infection? And what should you do upon learning you’re infected?
You didn’t think you would make it through this article without yet another reference to common sense, right? As previously described, the numerous methods for cryptocurrency mining malware center around making careless mistake such as installing trojanized mobile apps via your App Store of choice, Apple App Store or Google Play, opening an attachment with malicious malware, or surfing to a website with malicious code installed. Since no one reading this is going to be happy with the gratuitous common sense takeaway, here some other simple steps to take if you’d like additional protection to ward off pesky cryptocurrency mining malware:
First, avoid mobile apps with low or limited app reviews. Apple has an extensive mobile app review process, but trojanized apps still find a way through the process as we saw with the XcodeGhost malware that was installed in over 4000 mobile apps. Review the mobile app developer’s logo and profile to confirm the legitimate mobile app you’re about to download is not merely a copy of a legitimate app with malware added by a malicious actor. This practice is more prevalent on Google Play because of the open source policy and developer freedom that Android practices, which results is less oversight of mobile app distribution.
Second, install a trusted browser-based extension to detect CoinHive website code. Common Chrome browser extensions to block CoinHive code are Miner Dectector, Coin-Hive Blocker and No Coin. These browser blockers review a website’s code and alert an end user that CoinHive and other common cryptocurrency mining code has been detected/blocked. Similarly, to malware mobile apps, ensure that the browser extension you are installing is indeed not a knock off of a trusted browser extension because there are always malware creators are looking for any method to get you to make that careless mistake.
Third, while your standard anti-virus software is rendered useless against fileless cryptocurrency mining malware, it can protect you against the necessary network traffic to participate in a cryptocurrency mining pool. Large anti-virus software companies have the scalable resources to identify and research cryptocurrency mining campaigns and thusly, are constantly updating their host firewall rules to ensure that network traffic to aforementioned command and control cryptocurrency mining servers is blocked. This feature eliminates the need for users to tediously monitor cryptocurrency mining pools and update their hosts file to redirect network traffic to those C&C servers.
As we’ve discussed, cryptocurrency mining malware has gone mainstream and will only continue to increase in deployment and proliferation thanks in large part to cryptocurrencies’ values and the inability to confidently detect. As we face this increasing threat, we must remain vigilant in proactive steps taken to avoid and remediate cryptocurrency mining malware. Those steps require previously discussed common sense steps combined with relying on a trusted provider like HLC to help you navigate pre and post malware infection troubles. That powerful combination is necessary in the continued escalating battle against cryptocurrency mining malware and other emerging malware types.
So many different IT systems and devices, so little time for compliance. Small and medium-sized enterprises (SMEs) represent up to 99% of national economies and a huge market for IT products. The wide variety of systems in use in the SME sector makes it a breeding ground for vulnerabilities and cyberattacks. Yet so far, suitable solutions to help SMEs be compliant in information security have been lacking.
SMEs are generally budget constrained and have little time to stay on top of IT configurations and security settings. Regulators remain unsympathetic – information security is a cost of doing business. Companies that do not audit or assess their security or cannot otherwise prove appropriate information security controls are subject to fines and sanction, putting their hard earned reputations at risk. Automating monitoring and reporting of system and device compliance can make a significant difference. It can reduce effort and increase reliability, helping SMEs meet their compliance obligations more easily and cost effectively, while reinforcing the confidence of their partners and clients.
Compliance and Security Challenges Facing SMEs
On its own, one small or medium-sized business may not have a large IT installation. IT infrastructures and security profiles, however, will vary considerably from business to business. What makes one company compliant cannot be copied over to another company. Even 1% of noncompliance can then be enough to make a company vulnerable to cyberattacks or incidents, which is why auditors are so fastidious when they check.
IT vendors do not always help matters either. Their IT products are usually destined for a wide range of uses, meaning that restrictive security settings may not be part of default configurations. Some vulnerabilities even exist right ‘out of the box’. Between new and legacy systems, there are hundreds of types of machines. According to end-user needs, there are then thousands or more possible configurations. This complexity increases yet again with combinations of cloud systems and on-premise data centers, as well as other devices used by external users and advisory networks that all need to be connected.
To compound the problem, the specialist knowledge to ensure compliance is lacking in many SMEs. Even when an SME has employees who know about compliance with industry standards and who know about information technology, there is no guarantee that all this knowledge exists in one person. Different individuals often have separate areas of expertise, leaving a gap between regulatory requirements and IT actions.
Options for Assessing and Improving Compliance
Unlike annual fire safety inspections, information security compliance is a continual activity. IT vendors constantly update the versions of their operating systems and systems, making a compliance a moving target. Cybercriminals are a round-the-clock threat. Thanks to internet, hackers from halfway across the world can threaten a company’s data center, day and night.
There are several ways that SMEs might approach their information security compliance, each with its limitations. There is unfortunately no “silver bullet”. A better solution is a program that combines different approaches, using the advantages of each one and avoiding or compensating for the limitations. Here are some primary elements:
Smart Automation, Key to Efficiency and Affordability
Vulnerability scans and checklist assessments, coupled with periodic controls assessments, stand out as the approaches with the potential for covering the most compliance at the least cost. This is largely due to the possibilities of automating them and the extensive databases of information available for use with them. What cannot be automated will need to be accomplished manually. Examples include penetration testing and security hardening of proprietary developments that do not feature in standard checklists. These automated and manual procedures should also be integrated into a larger information security program for prevention and remediation of IT security threats and incidents, with end user security awareness training, endpoint protection, firewalls, SIEM, intrusion detection systems, and other measures as appropriate.
As well as offering wide coverage for compliance and the software audit trails to prove it, there is another advantage to automated solutions. They force hackers and cybercriminals to ‘up their game’ or to seek another easier target. In many cases, attackers choose the second option, preferring not to waste time attacking an organization that has already extensively checked and corrected vulnerability and compliance issues. Automated checking can also be extended across onsite and in-cloud systems, as well as mobile computing devices such as smartphones, tablets, and laptops. In addition, automated solutions may offer benchmarking to show how an organization’s security posture compares with the rest of the industry. Good posture makes for good public relations. This can help improve the organization’s corporate image as being secure and responsible in matters of information and data protection and privacy.
For SMEs or other organizations with limited technical expertise in-house, an automated solution for information security compliance must also offer suitable user-friendliness. Administrators or users should be able to see the security and compliance status of their company at a glance, for example, via an intuitive dashboard. They should also be able to easily achieve optimal security settings across systems and devices, independently of their location. Continually monitoring configurations, the solution must also immediately alert users or management to changes in configuration, especially those that result in non-compliance. Additional functionality such as checking that necessary security scans are being done regularly and verification of disk data encryption can also contribute to a well-rounded view for an SME of its security and compliance posture.
Responsibilities and Results
While smart software can go a long way to help ensure compliance and security, the organization and its users always retain the final responsibility. An automated solution can find issues, flag them, and even suggest ways to remediate them. Users then make or authorize suitable changes. A software solution does not in itself guarantee compliance, although it can provide valuable records of compliance settings and changes.
Nonetheless, all enterprises and organizations, and SMEs especially, can take advantage of such a solution for faster, better, more affordable compliance and security checking. By leveraging vendor and government checklist data and monitoring IT security essentials effortlessly via a suitable software application, they can meet requirements of auditors and regulators and significantly reduce the risks of IT system and network attacks.
Not In Compliance With NYDFS’s Cybersecurity Regulations? Helpful Guidance From HLC On What To Do Now.
You have been busy. Your company has clients to service and business to win. Maybe you were vaguely aware of the New York State Department of Financial Services’ (“NYSDFS”) cybersecurity regulation that went into effect last March but now the deadline has passed for filing the cybersecurity annual certification and you did not submit. Not only that, but maybe you didn’t do anything to comply. Of course, there is also the reminder you recently received from New York State underscoring your non-compliance….
The first step is obvious: deflect blame. Target prospects include anyone from your organization, your vendors, politicians, lawyers (obligatory), and New York State itself.
If you have already received the notice, then it is likely that you need to comply. There has been some confusion about the need for individuals to comply versus firms, since the requirements apply to both. Covered companies may comply on behalf of affiliates, subsidiaries, employees, and contracted individuals (e.g., registered representatives) but may not comply on behalf of third party providers that are entities. This means that third party providers who are regulated by NYSDFS may still be subject to the regulations even if they have employees who are in compliance through the information security program of another Covered Entity.
Another important point to remember is that it does not matter if you are located out of state. If your firm must register with the NYSDFS to conduct covered businesses within New York, then you must comply with the regulations.
Is My Business Partially Exempt?
After you have determined that you are subject to the regulation, the next question you need to ask is whether you are eligible to file for a partial exemption (which you may also be delinquent on…sorry). If you are, then you only must comply with the major requirements indicated by the red boxes below. If you are not, then red and blue are your colors.
Partial exemptions are available if your firm: (i) has less than ten employees and contractors; (ii) less than $5mm in gross annual revenues; (iii) less than $10mm in year-end total assets; OR (iv) if your firm effectively has nothing to do with Nonpublic Information, as defined in the regulations.
If you know you are covered by the law, qualify for an exemption and have not filed, then you should do so now. Log in here:
https://myportal.dfs.ny.gov/web/cybersecurity and file now…I’ll wait.
Whether or not you are exempt, the next step is to start to comply and first step there is to get an information security risk assessment done. This is not a DIY project unless you have in house information security professionals. You should hire an experienced cyber security assessment firm to assist. In addition, if you are not partially exempt, you will need to ensure that a vulnerability scan and penetration test is done on your systems. Even if you are not partially exempt, you should perform vulnerability scanning and penetration testing anyway as it is an industry best practice for any information security program.
The risk assessment is generally the first step towards assessing where your gaps are and a security program, if not in place already, is best to flow from the results of a risk assessment. The assessor should also provide your firm with a prioritization map to facilitate your response. In addition, a qualified third party information security risk assessor should be able to provide your firm with direction as to how it can address the gaps identified, including those specifically required by New York’s regulations.
While a risk assessment is in process, you should also assess (or compile) your policies and procedures since this process will require your active engagement from the beginning. Do not simply adopt off the shelf information security policies and procedures without fully understanding how they will apply within your organization. The regulations require that your policies be based on the findings from the risk assessment, so if your firm just adopts form policies without any review or customization, it is effectively documenting non-compliance with the regulation. Again, you should consult experienced third parties with regards to crafting such policies.
The areas that your policies will need to cover include:
Once you have established your course of action as set forth above, you should reach out to NYSDFS and advise that your compliance certification will be delayed but you are taking the above actions (excepting blame deflection) to correct.
Having managed to correct this one lapse, make sure to keep an eye on the forthcoming regulatory timelines. Implementation of controls respecting audit trails, data retention, data encryption, application security and user monitoring is required by September 3rd of this year. By March of next year, covered firms will need to certify that they have implemented a Vendor Risk Management program.
In February, 2015, HLC’s “The Convergence of AML and Cybersecurity” post noted “customer activity that may be a possible basis for a Suspicious Activity Report (SARs) should also be viewed as a potential information security breach…similarly, a detected cybersecurity breach may be the first indicator of a financial crime.”
Last week, the SEC’s Office of Compliance, Examinations and Inspections (“OCIE”) released its third cybersecurity National Examination Program Risk Alert (the “September Alert”) inside of eighteen months, heralding in a second round of cybersecurity sweeps and greater general examination focus on the issue.
On February 2nd, the SEC, FINRA and the North American Securities Administrators Association (NASAA) all released cybersecurity reports and alerts.
As in past years, the SEC and FINRA (as well as other regulators) released their examination priorities for 2015 in early January. Compliance and legal professionals can now pore over the language of these priorities to assess where their firms need to focus in the coming year. While there may be more than one candidate for top honors, cybersecurity has emerged as an area that will receive increased scrutiny from regulators in the year ahead.
In late June, BAE Systems revealed that it had stopped an ongoing cybercrime whereby cybercriminals had installed a malicious computer program on the servers of a large hedge fund, crippling its high-speed trading strategy and sending information about its trades to unknown offsite computers.
As the General Counsel for a then fledgling exchange, Direct Edge, at the end of 2010, I was not completely prepared for the level of regulatory scrutiny that the Securities and Exchange Commission’s office of Automation Review Procedure (ARP) would dedicate to our information security program following the discovery that hackers had infiltrated Nasdaq’s Directors Desk systems and were spying on the confidential communications of public company directors over a prolonged period.