Day: October 18, 2017

Posted on

Threat Brief: Drive-by Mining – Adapting an Old Attack to Mine Cryptocurrencies

On January 2, 2017, one Bitcoin was worth US $985.56.

By October 16, 2017, that same Bitcoin was worth US $ 5,707.40: a 579% increase in value in ten and a half months.

By comparison, Ethereum has gone from US $8.15 per ether on January 2, 2017 to US $342.83 per ether on October 16, 2017: a jump of 4,206%.

Cryptocurrencies are big money these days and seemingly getting bigger by the day.

And if we’ve learned one thing about cybercriminals, they follow the money.

So, it’s not surprising to see that cybercrime is turning its attention to cryptocurrencies.

In our latest research, “Unauthorized Coin Mining in the Browser”, Unit 42 researchers show how cybercriminals have taken an old tactic, hijacking web browsers without the users consent or knowledge (commonly called a “drive -by attack”), and adapted it to make money in the increasingly lucrative cryptocurrencies markets.

Before, drive-by attacks focused on abusing a browser’s legitimate download capabilities to download malware onto the victim’s system without their consent or knowledge. These new drive-by attacks focus on hijacking the computational resources of the victim’s computer to “mine” cryptocurrency on behalf of the attackers.

The focus of these attacks is to use the victim’s web browser to access the computational resources of their system. The attackers accomplish this through abuse of a legitimate tool by placing it on malicious or compromised websites and running it in the victim’s browser without his or her consent or knowledge when they visit the site. The tool is designed to “mine” cryptocurrencies, that is it earns credit in the cryptocurrency in exchange for computing power that is used to power the cryptocurrencies’ digital infrastructure. This tool has a legitimate use: sites can and do notify users that they’re using the site visitors’ resources in this way to support the site, typically as a substitute for ads on the site. But in this case, the attacker actually gets the credit that the victim’s computational resources earns without the visitors’ consent or knowledge making it a malicious attack.

Put simply, the net result is that the victim’s computer slows down (sometimes significantly) while on the malicious or compromised website. And while the computer is impacted like this, the attacker is earning money. The attacker steals the victims computing resources and translates it into a cryptocurrency like Bitcoin.

This new kind of attack tells us that at least some cybercriminals are starting to view theft of victim’s computing power to translate into cryptocurrencies as a better business proposition than the traditional practice of loading malware on the victim’s system through drive-by downloads.

And our research shows that this isn’t an isolated event. Our researchers analyzed over 1,000 of sites and what they found was very telling.

  1. According to Alexa, 5 of these sites ranked in the top 2K of sites, 29 sites in top 10K and 155 sites in top 1 million.
  2. While many of these sites can be dated back to 2013, we saw steady level to the number of sites until October 2017:  then we saw 502 (63%) of these domains spring up suddenly.
  3. We found these malicious and compromised sites resolved to 47 different counties with the majority being in the United States.
  4. The greatest number of victims we could identify come from the Eastern United States with the Western United States in second. Europe and Asia Pacific came in third and fourth respectively.
  5. In terms of the domains where we found these malicious and compromised sites, .download and .bid domains accounted for the majority, comprising more than 35% of these sites. .com and .review tied for 3rd with 13% of the sites each.

The good news is that these attacks are more like denial of service attacks: they don’t do lasting harm to your system and they end when you leave the site.

The bad news is that these are harder to defend against than typical drive-by download attacks. Where drive-by download attacks usually exploit unpatched vulnerabilities, the root of these attacks is that they abuse otherwise legitimate functionality: you can’t prevent them by being fully patched.

Security products that take a comprehensive, layered approach can help prevent these attacks. And if you think your system is being affected by one of these attacks, you can, in most cases, end the attack by either leaving the site or closing the browser.

Most of all, this latest development shows how a changing economic landscape in turn changes the cybercrime landscape. Loading malware through drive-by downloads is so 2012: in 2017 it’s about drive-by mining attacks to earn cryptocurrencies.

[Palo Alto Networks Research Center]

Posted on

Shining a Light on Shadow IT

Cisco:  15 to 25 times the number of known cloud services are purchased by employees without IT involvement.

These are just two examples of the quiet, but pervasive, existence of shadow IT in enterprises today. Although the name “shadow IT” sounds like something that might appear in an espionage novel, it is very real and very alarming, as we discovered in gathering material to write ISACA’s new white paper, Shadow IT Primer. We interviewed business and technology professionals whose responsibilities include IT operations, audit and security, and who deal with shadow IT on a regular basis. Their insights and real-world examples give the ISACA publication a perspective that is not reflected in other articles on the topic.

Shadow IT can be defined as applications and services that are used within an enterprise without having been reviewed, tested, approved, implemented or secured by the enterprise’s IT and/or information security function. Or, as one of the professionals interviewed put it: If you want to know what specific and timely functionality employees need but your enterprise is not currently providing, take a look at the shadow IT discovered in your business.

Employees are at the heart of shadow IT – well-meaning, innovative employees. They want to do a good job but are hindered by a lack (or lack of awareness) of the tools they need to do so. They are drawn to shadow IT’s usefulness, which they can generally acquire and start using in minutes by skipping the IT department’s vetting process.

This seems fairly innocuous, so why do enterprises care about shadow IT? Because those applications can enable significant data breaches, which may result in substantial financial loss. In addition to the obvious security risk, the threats associated with shadow IT include regulatory noncompliance, inadequate or unenforced policies, and reputational damage.

Many organizations have found that a range of approaches to address the risk is more effective than a single solution. A few of the controls used by the professionals interviewed for ISACA‘s publication include:

  • A shadow IT policy that outlines expected behaviors
  • Transitioning the IT department from detection and punishment to acceptance and protection
  • Using IT budgeting and procurement controls to shut down unapproved purchases
  • Restricting users’ ability to freely install applications
  • Educating users about the potential risk of shadow IT and the existence of an approval process

In ISACA’s white paper, these controls, and others, are fleshed out with implementation criteria and assessment methods.

Control does not necessarily equate to elimination of risk. In fact, many organizations are taking an “embrace” rather than “eliminate” approach to shadow IT. Of course, sometimes it is necessary to pull the plug. No matter how beneficial an application may appear, if it shows potential to harm the enterprise, it must be shut down immediately. The risk is too great to do otherwise.

But, even in an “eliminate” situation, there is room to “embrace” as well. A progressive approach entails realizing that, although a particular application needs to be dismantled, there is benefit in considering the problem the application is attempting to solve and empowering the IT function to find or build a safe and secure replacement – right away.

It is reasonable to assume that every enterprise contains shadow IT, given the ease and relative affordability of acquiring it, coupled with employees’ desire to fill needs or leverage opportunities with minimal delay. Savvy enterprises recognize this and mine the potential benefits, while managing the associated risk.

Jane Seago, Business Writer, and Terry Trsar, Business Consultant

[ISACA Now Blog]

English
English
Exit mobile version