Prelude
The last 12 months have shown tremendous volatility in the value of cryptocurrencies, of which Bitcoin is the most prominent example. At the start of 2017, Bitcoin lingered around the $2,000 mark before suddenly taking off, climbing to historic highs of close to $20,000 in December 2017. Demand has since subsided, and at the time of writing, the price of Bitcoin is near to $10,772.
While Bitcoin is the most popular cryptocurrency, numerous alternatives, often called ‘altcoins’ have emerged and grown in value in the last 12 months. For example, Dogecoin, originally created to be a spoof cryptocurrency after a widespread internet meme, reached a notable market capitalization milestone of $2bn in January 2018.
Nowadays it is almost impossible to profitably mine Bitcoin on commodity hardware such as laptops, smartphones or desktop computers. At this late state, it just takes too long to perform the relevant calculations, and the cost of electricity is higher than the anticipated revenue in most cases. Other altcoins such as Monero use different algorithms, making them viable alternatives for aspiring crypto miners. It is often still feasible to mine altcoins on commodity hardware and see a return on investment.
The value of most altcoins is closely tied to the value of Bitcoin and, in many cases, the relationship is broadly proportional – a rise in Bitcoin prompting a similar lift in the altcoins. Monero, which has been rapidly adopted by Darknet markets, has profited from this effect. While Monero was valued at around $10 in January 2017, its price has been pumped up to $419 a year later.
There is much that is still not clear about the cryptocurrency phenomenon. Debate as to its relative value and its status as a currency rages, and will not be resolved any time soon. However, from a cyber security perspective there can be no doubt that the combination of altcoins being mineable on commodity hardware, the fact that mining is now becoming profitable as a side-effect of Bitcoin’s rise, and a maturity in cryptocurrency-related tech has led to a surge in cryptocurrency-related attacks.
Attack vectors
Darktrace has observed an abrupt increase of cryptocurrency-related attacks over the last 12 months. Both the frequency and the diversity of these attacks has grown significantly and largely mirrors the remarkable rise in the value of Bitcoin over that period.
Previously, cyber-criminals monetized their operations via banking Trojans/credit card fraud, selling stolen data and ransomware on the Darknet. However, criminals are notoriously adaptable and will follow the money wherever it leads, leading to an increase in cryptojacking’s popularity.
Cryptocurrency mining might not be as profitable as ransomware is upfront, but it can be secretly pursued for months without creating the havoc that characterizes ransomware attacks. Most users and security products might not notice a cryptocurrency miner being installed on a corporate device as it does not show obvious threats or messages to a user, except for an occasional increase in CPU or RAM usage.
Identifying these attacks can be very difficult for traditional security tools as they were not originally designed to catch this type of threat. Nor was Darktrace, but its approach – which relies on its evolving understanding of patterns of behavior – means that it can detect such attacks without having to know what to look for in advance.
Darktrace has detected a number of different attack vectors related to cryptocurrency attacks.
- Nefarious use of corporate resources
Darktrace has detected a range of incidents where employees were intentionally installing cryptocurrency mining software on their corporate devices to mine for personal gain. These employees do not have to pay for the electricity used to run the corporate device in the office – they are basically turning their employer’s electricity into cash by commandeering it for mining operations.
This is commonly seen as a compliance breach and increases the attack surface of a device that has mining software installed. It puts the corporate device at risk and also increases operational costs as the power consumption usually goes up for mining devices. The most popular cryptocurrency choices for this kind of mining in the last 12 months were Etherium and Monero – altcoins that can profitably be mined without the need for inordinate electricity. - Coinhive drive-by mining
Coinhive is a technology that allows website owners to use their visitors’ computing power to mine a tiny fraction of cryptocurrency for the website owner. Visitors will experience a small increase in computer resource consumption while browsing the website. Some websites experiment with this model to create new forms of revenue streams alternative to advertisement and banner placements.
Coinhive usage is often not an opt-in process. Darktrace has observed various customer devices that regularly visit websites leveraging Coinhive technology. While the power consumption increase for a device browsing a website with Coinhive is ultimately negligible, the cumulative effect of a sizeable portion of the workforce unwittingly browsing websites using Coinhive results in increased power consumption cost for the organization as a whole. - Malicious insider
A malicious insider compromised his employer’s website to put a Coinhive script on there. This then mined Monero for every visitor on the employer’s website for the malicious insider’s personal gain. - Traditional malware
Cyber criminals are constantly looking to improve the return on investment of their operations. Reports suggest that criminals are starting to adjust their monetization methods based on the financial means of their targets. Suppose you can’t pay the fee extorted in a ransomware attack? They’ll just install a crypto miner on your device instead to ensure that the attack is not completely fruitless.
As malware authors become more sophisticated, they often deploy multi-staged malware that can swap weaponized payloads. Once malware has infected a system successfully, its authors can often decide what actions to take next. Encrypt the device and extort a ransom? Install a banking Trojan to harvest credit card details? Install more spyware modules to look for data exfiltration? Or, now, install a cryptocurrency miner.
These pieces of malware operate stealthily and often go undetected for several weeks. An infection might start with a phishing email that contains a macro-enabled document. As soon as a user enabled the macro, the malware will download a file-less stager that lives in memory and cannot be detected by traditional antivirus. Command and control communication is usually maintained via IP addresses that change on a daily basis in order to outrun threat intelligence and blacklisting attempts. As no obvious damage is done straight away, these attacks often stay under the radar for prolonged times, so long as self-learning technology such as Darktrace is not employed.
This becomes much more concerning as malware authors could swap one payload for another overnight if they deem it more profitable, switching from a furtive crypto mining Trojan to ransomware the next day. While we have not observed this kind of attack in the wild yet, it is plausible, and in cyberspace what can be done, will be done.
Conclusions
Revolutionary technologies like cryptocurrencies have both their dark and light aspects. For all of the creative energy released by the crypto-blockchain revolution, Bitcoin and its alternatives have quickly become the universal currency of the criminal underworld. Indeed, the former Chief Economist of the World Bank, Joseph Stiglitz – an adamant critic of cryptocurrencies – has said that the whole value of Bitcoin resides in its “potential for circumvention” and “lack of oversight”.
While Stiglitz’s case may be overstated, there can be no question that cyber criminals have sensed a new opportunity to make money. A lot of organizations still regard crypto mining as a compliance incident. This can lead to grave consequences as a cryptocurrency mining device might lead to more severe incidents that can have a serious effect on business operations.
This kind of threat is difficult to detect as no obvious damage is done. However, with Darktrace’s machine learning we can correlate even the weakest indicators of such an attack into a compelling picture of threat. While traditional tools may struggle to see these deviations, Darktrace can pinpoint the changes in behavior effected by cryptocurrency miners without having to rely on any blacklists or signatures.
![External Sites Summary Graph showing the rarity of the hostname “92n7au[.]uhabq9[.]com” on a customer network.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/670d96b065612663d098df74_670d956f4dda5eb6ac9e650f_Screenshot%25202024-10-14%2520at%25203.04.22%25E2%2580%25AFPM.png)
![Screenshot of a Model Alert Event log showing a device connecting to the endpoint “is5jg[.]3zweuj[.]com” over port 32091.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/670d96b065612663d098df7d_670d959854eb594420fdc971_Screenshot%25202024-10-14%2520at%25203.05.03%25E2%2580%25AFPM.png)
![Screenshot of a Model Alert Event Log showing the device posting the string “i8xps1” to the hostname “72zf6.rxqfd[.]com.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/670d96b065612663d098df80_670d95c562c6e392c7dc3ba8_Screenshot%25202024-10-14%2520at%25203.05.49%25E2%2580%25AFPM.png)
![Screenshot of a Model Alert Event Log showing the device posting the string “sqyjyadwwq” to the hostname “9yrh7.mea5ms[.]com”.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/670d96b065612663d098df7a_670d95e4b1dbad771717553c_Screenshot%25202024-10-14%2520at%25203.06.20%25E2%2580%25AFPM.png)
