Year: 2018

Posted on

Threat Brief: What’s Driving the Shift to Cryptocurrency Mining Malware?

Over the past six months, we’ve seen a major increase in the number of attack campaigns with the ultimate goal of mining cryptocurrency. It’s a subject Unit 42 has been tracking in the past year:

So, what is driving a widespread shift from attackers and creating a significant trend in the industry? There are three factors at work:

  • The price of many cryptocurrencies has increased dramatically in the last 12 months, making it more profitable to mine coins compared to other criminal business models.
  • The risk of using a compromised PC to mine cryptocurrency is currently much lower than using it for other criminal activities.
  • One particular cryptocurrency, Monero, provides its users with very high privacy and can be mined efficiently on a regular desktop or laptop PC. These properties are not true of other cryptocurrencies, like bitcoin.

To answer the question in more detail, it’s important to put yourself into the criminal’s shoes and consider what alternative routes they have to monetize infections. In this brief, we’ll share how this trend came to fruition, why it’s so prevalent, and how security professionals and defenders can keep an eye out for this rising type of threat.

 

How Attacks Monetize Infections

While targeted attacks gain the most attention from researchers and media, the majority of malware infections are untargeted and even indiscriminate. Instead of seeking out specific targets, many criminals aim to infect as many systems as possible and then turn those infections into cash. This has been true for over a decade, although the mechanisms available to criminals have shifted in that time.

To understand where we are now, it helps to look at how we got here, and to look at the evolution of common cybercriminal activities.

Back in the early 2000s, some of the earliest “botnet herders” made their income by relaying spam emails through infected computers. Over time, that business became less profitable due to anti-spam controls and ISPs preventing infected systems from directly relaying emails.

In the mid-2000s, criminals made great profits from using Banking Trojans to steal credentials for online banking websites, and subsequently draining the accounts’ associated funds. This account takeover activity continues today, but various anti-fraud measures and law enforcement actions have made it less profitable and riskier for criminals.

Another aspect of Banking Trojan infections is that, while the criminal may be infecting hosts indiscriminately, the value of the host greatly depends on the individual who owns it, and the criminals’ ability to “cash out” their bank account. Figure 1 is a capture from a book I wrote with some colleagues in 2008, “Cyber Fraud: Tactics, Techniques, and Procedures.” It shows the price that a criminal enterprise called IFRAME DOLLARS was charging to infect computers in various countries at that time.

Figure 1: Capture from Cyber Fraud: Tactics, Techniques, and Procedures showing prices of host infections by country.

 

In 2007, the infection of a system in Australia went for US$0.60, while an infection in Poland was only a fraction of the cost, at US$0.096. The difference in price represented the difference in value: criminals were able to make more money through a Banking Trojan account takeover from an Australian infection than they could in Poland. This was due to many factors, but chief among them was that criminals were more successful at cashing out accounts from Australian infections than they were from systems in other parts of the world.

As anti-fraud protections evolved, so did the criminals. Fast forward five years to 2013 and the rise of the Ransomware business model. This new way to generate profit had two major advantages over account takeovers:

  • Every system that is infected can be held for ransom, not just those belonging to users who also happen to bank online and have their credentials stolen.
  • Payments using cryptocurrency (primarily bitcoin) do not require interacting with banks, decreasing the risk and cost for cybercriminals of cashing out.

Put another way, the ransomware model represented both increased efficiency and decreased risk in monetizing the infection.

Anyone who’s been paying attention to cybercrime since 2013 is aware of the ransomware surge, infecting systems throughout the world and plaguing networks’ administrators. While only a tiny fraction (possibly 1 in 1000) of systems infected with a banking Trojan pay out for attackers, a much higher portion of ransomware victims pay to get their files back. While US$300 payments are less than a single account takeover could return, ransomware makes greater returns due to the volume and decreased risk in this new business model. Cybercriminals have become good business people: they saw the benefits and embraced the change.

 

Enter “The Bubble” – Where We Are Now

In the last two years, but particularly in the last six months, the price of bitcoin and other cryptocurrencies experienced a massive price surge with respect to the U.S. dollar and other fiat currencies. Here’s the chart for bitcoin over the last two years, showing a rise of 2,000% to 4,000% in the versus the U.S. dollar.

Figure 2: Price of bitcoin in U.S. dollars from CoinMarketCap

 

While botnets mining cryptocurrency is nothing new, the technique was much less profitable than using ransomware. In fact, with the rise of specialized bitcoin mining hardware, no regular PC can make any significant amount of money for an attacker.

However, there are many other “crypto coins” in the market today. The one we see mined most by attackers is called Monero. In contrast to bitcoin, Monero was designed to enable private transactions using a closed ledger, and its mining algorithm is still mined effectively by both PC CPUs and GPUs. As the chart below shows, Monero has risen even faster than bitcoin in price in the last two years, with more than a 30,000% gain in U.S. dollars.

Figure 3: Price of Monero in U.S. dollars from CoinMarketCap

 

A normal PC used to mine Monero can earn around US$0.25 per day at the current prices. That number is small, but it’s important to note that it doesn’t matter what country or network a Monero miner is part of: computers in Australia and Poland mine at the same speed. Every infected system is a profit-generating resource when mining Monero, and users are much less likely to identify their infection and remove the mining program than they would be with ransomware. For context, in January, we found a Monero mining campaign that infected around 15 million systems, largely in the developing world. If these systems remained infected for at least 24 hours each, the attackers could have earned well over 3 million U.S. dollars in Monero.

Additionally, the risk of arrest and conviction is significantly lower than with ransomware, as mining cryptocurrency is less likely to generate reports to law enforcement than a data-destroying ransomware infection.

 

What’s Next?

This wave of attacks will continue as long as it maintains a high level of profitability with a low level of risk for cybercriminals.

For defenders, it’s important to note that the techniques used to infect systems with coin mining malware are the same as they were for ransomware. Infections typically begin with emails carrying malicious macro documents, drive-by exploit kits targeting browsers, or direct attacks on servers running vulnerable software. There is no single solution to stopping these attacks, but the same technologies and policies you use to prevent other malware infections will be effective.

Across the changing landscape of botnet herders, Banking Trojans, ransomware and coin mining is one constant: the business-savvy drive to maximize profit and reduce risk. Using these as our guide, we can make sense of where we are today, how we got here, and be prepared for what has yet to develop in the future.

Here are three things to watch for:

1. A marked increase in the price of Monero or other cryptocurrencies will draw even more attackers into this business.

For many users, this could actually be a positive development, as the negative impact of having resources sapped from one’s computer is much less than paying a ransom or restoring your system from a backup due to ransomware. Conversely, a crash in the price of cryptocurrencies will decrease the profitability and drive criminals back to ransomware.

2. Listen to your fans or keep an eye on your CPU usage.

Many users realize their system is infected with coin mining malware when their laptop fans kick into high-speed mode to keep the overtaxed CPU cool. Listening to fans won’t work at the enterprise scale, but implementing widespread CPU performance monitoring could be a good way to find compromised devices. This will also help you identify the coin mining “insider threat,” as misguided administrators may see their organizations’ unused CPU time as a way to generate personal income.

3. Criminals will find ways to target these attacks.

Compromising a user’s browser or a regular home PC will net the criminal an average system for mining coins, but higher-end systems will generate more income. Attackers will soon begin targeting devices with higher specifications to get more bang for their buck. Gaming PCs with high-end GPUs and servers with large numbers of processing cores will be prime targets.

[Palo Alto Networks Research Center]

Posted on

PAN-OS 8.1: New Features for the Financial Sector

Hopefully, you saw our recent announcement of PAN-OS 8.1. This blog will highlight the top three features in 8.1 that help bolster confidence and control in the growing use of the public cloud by financial institutions, and optimize the decryption infrastructure for operational efficiencies and and improved performance.

Consistent Multi-Cloud Security

Resiliency and geographic diversity are key aspects of any business continuity plan for financial institutions. By not placing all its eggs in one basket, an IT organization limits the exposure of any technology or even supplier failures on the supported business. As workloads continue to move to the public cloud, financial institutions will prefer to spread their risk both geographically and across multiple service providers. In the end, resilient designs will be implemented for cloud-based workloads, but reduced fault domains and supplier diversity will also be key considerations for all IT teams. Consequently, financial institutions can be expected to have a multi-cloud strategy.

To maintain a consistent and effective security posture across multi-cloud environments, Palo Alto Networks VM-Series virtualized next-generation firewall is supported on three major cloud service providers: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform. Common use cases include hybrid cloud, segmentation, internet gateway, and remote access. Integration with the native cloud infrastructure offers automation for frictionless workflows even in multi-cloud environments. Our VM-Series has the same feature set regardless of the cloud service provider and will enable financial institutions to create a consistent security policy across all three.

SaaS Application Control: Consumer vs. Enterprise

SaaS application usage continues to grow in the financial sector. For many institutions, SaaS was a first step into the cloud as subscriptions for non-mission-critical applications drove cost savings and efficiencies. Not surprisingly then, the use of SaaS apps for HR, CRM, and also Office 365 is fairly common. Some financial institutions may use Google G Suite, Dropbox, and YouTube for business purposes as well. In such cases, this creates a situation where the enterprise version of SaaS applications is indistinguishable from the consumer one. Employees may be accessing their personal email, calendar, or online storage SaaS applications from the same workstation used for the enterprise versions. At its worst, this becomes another avenue for exfiltration of corporate data by malicious insiders. Even in benign cases, the personal use of Office 365, G Suite, Dropbox, and YouTube from the office can be a questionable use of corporate resources.

With PAN-OS 8.1, Palo Alto Networks next-generation firewalls can be used to distinguish between enterprise and consumer use of common SaaS applications, and ultimately prevent access for the latter purpose. Our next-generation firewall will insert HTTP headers for Google, Office 365, Dropbox, and YouTube to signal what is desirable for enterprise use. The SaaS application recognizes this and then allows access based on the settings in the header. This prevents any data exfiltration attempts to consumer accounts on common SaaS applications and, furthermore, limits the use of corporate resources for personal purposes.

 

Simplified Decryption Architecture

Gartner has predicted that, by 2019, more than 80 percent of all network traffic will be encrypted. Attackers have also taken notice and may hide their communications within encrypted data streams as well. To combat this, financial institutions have already gone about decrypting internet traffic to detect and stop malicious traffic. However, this is typically done by:

 

  1. Decrypting each time on every single-function security appliance in the chain (e.g., firewall, IPS, DLP, WAF, proxy) for policy enforcement, or
  1. Introducing a dedicated appliance for SSL offload, which then sends the unencrypted data to each of the single-function security appliances.

 

Both approaches do allow for inspection of encrypted traffic for malicious activity, but both also have drawbacks. Decrypting multiple times adds latency and impacts end-user experience. A dedicated SSL offload appliance adds design complexity and operational costs.

In PAN-OS 8.1, Palo Alto Networks has introduced the Decryption Broker, which enables the next-generation firewall to decrypt the data and scan it using its single-pass architecture for IPS, network antivirus, and security policies before a hand-off to third-party security appliances for further enforcement. This approach reduces the total number of devices required, minimizes added latency, and increases the operational efficiency of a security chain of multi-vendor appliances. Using this simplified architecture for decryption allows for streamlined inspection for security, while minimizing the performance impact on end users.

Get more details on these and other additional enhancements introduced in PAN-OS 8.1.

[Palo Alto Networks Research Center] 

Posted on

Growing Global Spotlight on Privacy, GDPR, Resonating in India

India is a country at the cross-roads of transformation. As one of the fastest-growing economies, it is expected to be the most populous country in the world in a few years, potentially home to about 20 percent of the world population. Therefore, events in India are becoming increasingly relevant from an economic as well as geopolitical perspective.

The advent of the General Data Protection Regulation (GDPR) has brought significant focus globally and in India on privacy. The interest in privacy goes beyond the transactional and operational aspects. It explores deeper into the basis and relevance for privacy.

It is in this context that a landmark judgment delivered in August 2017 by The Supreme Court of India assumes significance. A nine-judge bench of the Supreme Court delivered the order that privacy is a fundamental right and an intrinsic part of the right to life and personal liberty guaranteed by the Constitution of India. The judgment has settled the debate on the matter and has meant that initiatives and activities of the government, as well as those of private enterprises and organizations, will need to ensure that privacy of individuals is protected.

A committee was formed by the Indian government in 2012 under the chairmanship of the former Chief Justice of the Delhi High Court to draft a paper that would facilitate the authoring of a privacy law for India. The committee suggested a detailed framework to serve the conceptual foundation for the proposed privacy law and mentioned the following features that should be included:

  1. Technological neutrality and interoperability with international standards. This feature recognizes the need to preserve privacy in the face of ever-changing technology. It also recognizes the need to be in harmony with international regimes to create trust for cross-border data flow.
  2. Multi-dimensional privacy. This aspect recognizes that privacy protection involves different types of data and different methods of communication and storage.
  3. Horizontal applicability. The frameworks should not discriminate between the government and private enterprise in matters related to protection of privacy.
  4. Conformity with the privacy principles. The committee has laid down privacy principles that are in conformity with globally recognized principles such as choice, collection limitation, etc.
  5. Co-regulatory enforcement regime. The committee has recommended a structure for regulators and emphasized the need for self-regulatory industry or sector-specific bodies.

India has now set into motion discussions for a data protection law. The government has assembled a committee to study various aspects needed to create a bill under the chairmanship of Justice Srikrishna, former Supreme Court judge. The proposed law is expected to address data privacy in a holistic manner. The committee had issued a white paper to solicit opinion from various stakeholders and the public on multiple aspects, including the content of the law.

GDPR has been a significant step that has spurred discussions around data protection and privacy across the globe, and India is no exception. Given the significance of information technology to India’s growth, the interest is natural. In terms of population, India is about 2.5 times that of the EU. The impact and significance of the data protection law in India is likely to be even higher. It is certain that India is on a path that is in sync with the global direction.

Editor’s note: To view ISACA’s resources on GDPR, visit www.isaca.org/GDPR.

Sandeep Godbole, CISA, CISM, CGEIT, CISSP, CEH, Past President of ISACA Pune Chapter

[ISACA Now Blog]

Posted on

Cloud Security Alliance Releases New Report Examining Ways in Which Blockchain Technology Can Facilitate, Improve IoT Security

SEATTLE, WA – Feb. 13, 2018 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today released Using Blockchain Technology to Secure Internet of Things, a new white paper which explores the capabilities of blockchain technology in facilitating and improving the security of the internet of things (IoT).

Authored by the CSA’s Internet of Things (IoT) and Blockchain/Distributed Ledger Technology Working Groups, the paper highlights various features that should be considered when securing connected devices using blockchain technology. The document provides a high-level overview of blockchain technology, and then outlines a set of architectural patterns that enable blockchain to be used as a technology to secure IoT capabilities. It also offers specific use-case examples of blockchain for IoT security.

“Organizations on the forefront of implementing IoT are understandably encountering challenges in identifying appropriate security technologies that are capable of mitigating the unique threats that IoT presents,” said Brian Russell, chair of the CSA IoT Working Group. “We hope this document will inspire business leaders and developers embracing the blockchain opportunity to extend the capabilities of this technology to secure the internet of things.”

The report addresses two technologies with different maturity levels:

  • Blockchain: A technology enabler that supports rapidly evolving cryptocurrencies such as BitCoin, Ethereum, Litecoin, Dash and hundreds more. Blockchain’s success as a foundation for cryptocurrencies has spawned new research aimed at securing systems and technologies using the distributed ledger. Most initiatives in the business context are limited to prototypes that serve mostly to master the intricacies of this complex technology. Current applications only scrape the surface of their possible uses.
  • Internet of Things: A fast-maturing set of technologies that support the transformation of business and mission processes. The IoT is the inter-networking of physical devices such as connected vehicles, smart buildings, industrial control systems, drone and robotics systems and other items embedded with electronics, software, sensors, actuators and network connectivity that enable these objects to exchange data. The IoT has reached varying levels of maturity across sectors such as consumer, transportation, energy, healthcare, manufacturing, retail and financial.

“The IoT is having a major impact on how many companies conduct business and people go about their daily lives. However, security has become a stumbling block to widespread adoption or implementation. Luckily, blockchain holds great promise for securing connected devices and systems,” said Sabri Khemissa, co-chair for the Blockchain/Distributed Ledger Technology Working Group and the lead author of the paper. “This research should serve as a roadmap to implementing technology that will push the dial forward in securing IoT.”

The CSA IoT Working Group focuses on understanding the relevant use cases for IoT deployments and defining actionable guidance for security practitioners to secure their implementations. The Blockchain/Distributed Ledger Technology Working Group works to produce useful content to educate different industries on blockchain and its proper use, as well as define blockchain security and compliance requirements based upon different industries and use cases.

Individuals interested in becoming involved in the future research and initiatives of either group are invited to do so by visiting the Internet of Things WG join page and the Blockchain/Distributed Ledger WG join page.

The Using Blockchain Technology to Secure Internet of Things white paper is a free resource from the CSA and is available at https://cloudsecurityalliance.org/download/using-blockchain-technology-to-secure-the-internet-of-things.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security- specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.

Media Contact

Kari Walker for the CSA
ZAG Communications
703.928.9996
kari@zagcommunications.com

[Cloud Security Alliance Research News]

Posted on

SCHOLARSHIP OPPORTUNITIES WITH (ISC)² AND THE CENTER FOR CYBER SAFETY AND EDUCATION

Every year, (ISC)² and The Centre for Cyber Safety and Education award a range of scholarships to individuals pursuing, or planning to pursue a degree in cybersecurity or information security.

Addressing the cybersecurity skills gap

The aim of these initiatives are to help bridge the cybersecurity workforce skills gap – which our research predicts to reach a 1.8 million shortfall in the next four years – and improve diversity within the profession; by providing future information security professionals with UndergraduateGraduate or Women’s scholarships to assist them in preparing for their rewarding career in this vital sector.

How the scholarship program has evolved

The program started in 2005, awarding four graduates $12,500 each towards an advanced degree in the sector. The scheme was initially part of (ISC)²’s “Year of the Information Security Professional” program, designed to create additional awareness of the profession and encourage high-quality new entrants into the field.

From 2005 through to 2010, the program grew, distributing between three and six awards each year; with the early scholarships being focused on graduate students conducting research in cybersecurity.

Last year however, 48 scholarships out of the 1000 plus who applied were rewarded; and today up to $125,000 is available across the varying scholarships – indicating a real growth and popularity in the scheme. Back in 2011, 28 applications were received, with the number of submissions growing but staying around the 60 – 70 mark each year. Though 2016 saw the real turning point, with over 500 applications being received, and of course last year where the scheme received its record number of submissions yet.

And it was in 2011 – in a concerted effort to address the fact that women are underrepresented in the profession –  the women’s scholarships were created. Females also have made up 73% of scholarship recipients to date, with nearly $200,000 being presented since the program commenced.

Successful recipients across the program have hailed from all corners of the globe too, including United Kingdom, Iraq, Estonia, Cameroon, Nigeria, South Korea, India, Jamaica, Australia, Canada and more.

If you’re interested in applying, or know someone who might be, read on for details on the individual initiatives:

Undergraduate Scholarships

Aspiring information security professionals have the opportunity to ease some of their educational financial burden with the (ISC)² Information Security Scholarship, offering undergraduate students studying information security from $1,000 to $5,000 per recipient. To be eligible, your GPA must be at least 3.3 on a 4.0 scale (or an analogous rank based on a comparable scale). Additionally, you can apply if you are a citizen from any country and studying in any country, either on a full time or part time course; whether it’s online or on-campus. For more details on eligibility and how to apply, see the official (ISC)² undergraduate scholarships page.

Graduate Scholarships

Graduate students often need funding to conduct special research projects or assistance with tuition and fees; and the (ISC)² Graduate Scholarship Program helps grad students achieve those goals.  Graduate applicants may be awarded between $1,000 and $5,000 each. To be eligible, your GPA must be at least 3.5 on a 4.0 scale (or an analogous rank based on a comparable scale). Please note, if you have just been accepted to Graduate School, or are just beginning classes, you will use the final cumulative GPA from your undergraduate degree transcript to meet the criteria. Additionally, you can apply if you are a citizen from any country and studying in any country, either on a full time or part time course; whether it’s online or on-campus. For more details on eligibility and how to apply, see the official (ISC)² graduate cybersecurity scholarships page.

The deadline for the Undergraduates scholarships is 15 March 2018, and for Graduates, it’s 17 April 2018.

Learn more and apply via the Center’s website  and for email enquiries: scholarships@isc2.org

[(ISC)² Blog]

English
English
Exit mobile version