The last few years have seen ransomware attacks capture global headlines for the widespread and brazen tactics used to install and hold victim’s data hostage. As recently as March of 2018, WannaCry reared its head again at a US-based Boeing manufacturing plant, and SamSam striking the city of Atlanta, one of the country’s largest municipalities. According to a report by Trend Micro, in 2017 there was roughly a 40 percent decline in threats using ransomware, however, the scale of reach and damage was much more significant than in years past with heavy-hitters like WannaCry, NotPetya and Bad Rabbit. Ransomware remains a prevalent threat as many older ransomware families are still in play, affecting users worldwide, but the new trend of malicious cryptomining is promising even easier money to attackers.
Enter the Malicious Cryptomining Era
As the number of ransomware threats is on the decline, malicious cryptomining is on the rise, perhaps proving more attractive to cybercriminals out to make money. According to a study by Symantec, 2017 saw an “8,500 percent increase in the detection of coinminers on computers.” These malicious cryptomining attacks infect victim computers in order to use their processing power to mine virtual currency on a massive scale.
Cybercriminals attraction to malicious cryptomining is the result of the visibility and mode of attack. Ransomware is a clearly defined attack causing an abrupt event that requires the victim be notified an attack is taking place so they can pay the ransom. Malicious cryptomining is less obvious and flies under the radar — that is, until it drags down machine performance too much and uses copious amounts of electricity.
Zero-Day Vulnerabilities in Operational Technology
Operational technology (OT), which includes monitoring and control systems common in critical infrastructure, has seen its risk of cyberattack rise over recent years. The Trend Micro report shed light on more bad news for OT networks. While there was a substantial 98-percent increase in discovered zero-day vulnerabilities overall, zero-day vulnerabilities affecting OT made up the bulk of that increase. Of the 119 new zero-day vulnerabilities in 2017, all but six were related to OT.
This latter spike is particularly concerning as OT has many unique cybersecurity concerns and challenges, not the least of which is poor visibility of the OT network and its intersections with IT, general prohibition of active vulnerability scans and limited patching options.
How to Protect Yourself
Whether it’s vulnerabilities on OT devices, in ransomware or cryptomining malware, they need to be dealt with in context. Analyzing vulnerabilities from the network, business and threat perspectives will help focus remediation on your biggest risks.
- Ransomware: Having reliable threat intelligence incorporated into vulnerability prioritization processes will help pinpoint vulnerabilities used in distributed crimeware like ransomware or exploit kits. Having visibility of your network and assets will also help identify which of these vulnerabilities are also exposed and give insight into how an attack like WannaCry could spread throughout your organization.
- Malicious cryptomining: Cryptomining malware often relies on vulnerability exploits. Patching those vulnerabilities — especially on high-value servers — is the best first step. You can also block browser-based cryptomining software by installing a plugin to warn you when a site is trying to use your machine to mine or that blocks the mining domains.
- OT vulnerabilities: For most organizations, vulnerability discovery in OT networks must be done without an active scan. Having a passive solution in place will provide the fundamental vulnerability occurrence data to support the rest of the vulnerability management process. Incorporating threat intelligence will also determine which vulnerabilities have active exploits in the wild. And network insight will also help identify mitigation options such as ACL changes, IPS signatures, etc. to decrease the risk of these vulnerabilities even if patching the device isn’t an option.
The Cryptomining Malware Family: Cryptomining malware comes in many shapes and sizes, from browser-based software to cryptocurrency wallet stealers and dedicated applications
Top Malware in 2018 — What to Watch For: Skybox’s new Vulnerability and Threat Trends Report lays out the top malware and points to the trend of hybrid, changeling malware
6 Vulnerabilities to Follow in 2018, According to Skybox Research Lab: Skybox’s new Vulnerability and Threat Trends Report lays out the vulnerabilities to play a major role in 2018’s threat landscape