Over the last 6 months, the most prevalent news stories in my news readers are those about the increase in crypto-mining malware incidents as I commented on a few months back. They are literally happening weekly and maybe even daily. Last week I presented data on the fact that we are seeing a massive rise in phishing attacks. These phishing attacks are targeted attacks, also called spear phishing. They are targeted at companies and individuals in order to get crypto-mining software in more locations. Getting the crypto mining bots on as many systems as possible, by leveraging traditional attack methods such as phishing, are major headaches for all companies and individuals out there.
The crypto currency explosion has brought everyone from every corner. Most people associate Bitcoin with crypto currency, but there are many others out there. All of these crypto currencies are a great way to anonymously move money. Back in the days of early phishing, a hacker or a hacking team would go out and steal usernames and passwords and then they would sell them on the black market. There were many points at which they could get caught here, and the old adage of “follow the money” was the most common. With the usage of crypto currencies, now the hackers to move the money more secretly. However, there were still problems and spots where they could get caught, and rather than seek payment for services, I think everyone would agree that if you could just generate your own currency and avoid the middle people, that would be much easier. That’s exactly what the hackers have thought too. So now the name of the game is to get crypto mining software on anything that has a CPU, and phishing to get privileged credentials is less about selling them to others and more about being able to immediately use them to get the mining software loaded and making money for them.
This week, Telsa’s cloud servers were compromised and crypto mining bots were loaded on their Amazon Web Services. There have been a number of high profile companies recently that have been compromised, but less big headlines around them. The main reason for this, is that these companies, although compromised the hackers don’t necessarily leak the data contained in those servers. That is not to say the data isn’t compromised in most cases, just that getting the crypto mining bot up and running is more the focus and the intelligence community knows this. So why bring more panic and attention rather than just stop the malware in its tracks.
With knowing what the attacks are focused on, we should adjust our security to protecting for this. Crypto mining bots are being added to Cloud Server where there is almost unlimited processing power. They are also being added to web sites as file-less attacks, or drive by attacks, allowing for every visitor to give a bit of their processing power to the mining malware collective. And we are seeing many main stream (and not-so-mainstream) mobile apps repackaged to include these mining malware bots, typically in a hidden mechanism that the end user would never even notice until their device slows down and is unusable due to the mining operations. There are still other platforms that are being attacked including IoT (like your wireless cameras and wifi connected thermostats) and big industrial systems (SCADA) used in utilities and manufacturing. Each attack-able platform needs to make use of the appropriate tools to help combat these attacks. I pointed out last time that it’s important to be up to date with your patches and to pay close attention to your data. These recent attacks make it even more visible.
***Edit adding more missed hijacked sites***
I missed the UK government one:
http://www.bbc.com/news/technology-43025788
Or the list of 4300 other web sites that have been infected:
https://publicwww.com/websites/browsealoud.com%2Fplus%2Fscripts%2Fba.js/
Los Angeles Times:
https://www.itwire.com/security/81860-la-times-serving-cryptocurrency-mining-script.html