Criminals’ Cryptocurrency Addiction Continues

Cybercrime , Endpoint Security , Fraud Management & Cybercrime

Cryptojacking Attacks Are Reshaping Today’s Threat Landscape

Criminals' Cryptocurrency Addiction Continues
A monero miner called DarkPope for sale on the dark web marketplace called Wall St. Market (Source: Crowdstrike)

Since the end of last year, cryptojacking – the hidden mining of virtual currencies – has been a focus for many online attackers, usurping the dominance of ransomware attacks.

See Also: Live Webinar | Misconceptions About Third Party Risk Management

Blame the explosion in cryptocurrencies’ value at the end of 2017, after which many cybercriminals came calling. As they shifted their focus, the growth in banking Trojan and ransomware attacks slowed, although both continue.

Cryptojacking attacks are continuing to to rise, says Europol, the EU’s law enforcement intelligence agency. Such illicit cryptomining involves attackers exploiting computer users’ bandwidth and processing power to “mine” for cryptocurrency, solving mathematical problems that build the cryptocurrency’s blockchain. In return, participants can receive cryptocurrency as a reward.

“While it is not illegal in some cases, it nonetheless creates additional revenue streams and therefore motivation for attackers to hack legitimate websites to exploit their visitor’s systems,” Europol says in its recently released Internet Organized Crime Threat Assessment for 2018. “Actual cryptomining malware works to the same effect, but can cripple a victim’s system by monopolizing their processing power.”

Indeed, security firm Crowdstrike notes in a new report that it “has observed cryptomining dramatically impacting business operations in some organizations – impeding their ability to conduct business as usual for days or weeks at a time.”

Cryptomining malware continues to grow more prevalent. “Cryptocurrency mining detections have increased sharply between 2017 and 2018,” the Cyber Threat Alliance says in a recently released report.

“Combined data from several CTA members shows a 459 percent increase in illicit cryptocurrency mining malware detections since 2017, and recent quarterly trend reports from CTA members show that this rapid growth shows no signs of slowing down,” it says.

Easy Money

Europol predicts that cryptojacking will continue to serve as “a regular, low-risk revenue stream for cybercriminals” (see Cybercrime: 15 Top Threats and Trends).

Rik Ferguson, vice president of security research at Trend Micro, says one of the dominant, recurring themes in this year’s IOCTA report is the degree to which “cryptocurrency in many ways could be said to shaping today’s threat environment.”

Those findings parallel Trend Micro’s own first half of 2018 security roundup report, Ferguson notes. Trend Micro and other security firms shared attack and trend data with Europol that fed into the IOCTA report. Ferguson is also a cybersecurity adviser to Europol’s EC3 European Cybercrime Center.

“With the increasing, malicious focus on cryptocurrency-related threats, attacks and exploits, it is clear that criminal innovation in this space continues unabated,” Ferguson tells Information Security Media Group.

“Starting from attacks targeting cryptocurrency wallets on individual users’ machines – either directly or as an add-on to some widespread ransomware variants – attackers have rapidly diversified into direct breaches of cryptocurrency exchanges, malware for mining on traditional, mobile and even IoT devices, and developed attack methodologies specifically designed to target the mechanics of blockchain-based transactions, such as the 51 percent attack.”

The 51 percent attack gives attackers who can control more than 50 percent of a network’s hash rate – or computing power – the power to reverse transactions on the blockchain or double-spend coins.

The first half of this year saw five successful 51 percent attacks leading to “direct financial losses ranging from $0.55 million to $18 million,” Moscow-based cybersecurity firm Group-IB says in a recently released cybercrime trends report.

Mining via Malvertising

Criminals continue to attempt to acquire cryptocurrencies via all possible means, as well as to conduct business using them to help obscure the flow of funds.

For example, attackers are increasingly sneaking cryptomining software into online advertisements, says Christopher Boyd, lead malware intelligence analyst at security firm Malwarebytes. “While ransomware declines, certain forms of ad-based cryptomining have become very popular and we’d expect to see that trend continue,” he tells ISMG.

Such cryptomining software is easily available, sometimes in a legitimate, open source form that attackers may use in an illicit manner.

“After the launch of Coinhive – hidden mining software – seven more similar software programs have come out,” Group-IB says in its report.

Target: Cryptocurrency

Criminals are also targeting individuals and organizations that handle cryptocurrency. “Attacks that had previously targeted financial institutions such as banks are finding much easier targets in organizations dealing with cryptocurrencies; it’s not surprising then that the criminals are moving to where there are easier pickings,” Alan Woodward, a visiting professor at the University of Surrey’s department of computer science, tells ISMG.

“Currency exchangers, mining services and other wallet holders are facing hacking attempts as well as extortion of personal data and theft,” Europol’s report notes.

Since 2017, “a total of 14 cryptocurrency exchanges have been robbed, suffering a total loss of $882 million,” Group-IB says. “At least five attacks have been linked to the North Korean hackers from [the] Lazarus state-sponsored group. Their victims were mainly located in South Korea.”

Beyond Lazarus, Group-IB says the most prominent cryptocurrency exchange hackers appear to be Russia’s three most active cybercrime groups: Silence, MoneyTaker and Cobalt.

Initial coin offerings have also been under fire from hackers (see How Hackers Are Targeting Initial Coin Offerings). “Approximately 56 percent of all money siphoned off from ICOs were stolen through phishing attacks,” Group-IB says.

Bitcoin Still King

Despite the increased criminal interest in virtual currencies such as monero and dash, which promise greater privacy and can be mined – including on malware victims’ systems – without having to use highly specialized equipment, Europol says bitcoin “remains the predominant cryptocurrency encountered in cybercrime investigations” (see Criminals Hide ‘Billions’ in Cryptocurrency, Europol Warns).

“Bitcoin is still the cryptocurrency of choice for criminals, despite other cryptocurrencies gaining market share,” Woodward says.

Users of bitcoin who want to make it difficult for investigators to “follow the money” have sometimes relied on tumbling services designed to transfer cryptocurrencies between many different accounts to obscure their origin and destination.

But the latest generations of cryptocurrencies are designed with these types of capabilities built in. “It is likely that high-privacy cryptocurrencies will make the current mixing services and tumblers obsolete,” Europol says.