Malicious hackers are infecting unsuspecting users’ computers with code that commandeers the devices for cryptocurrency mining. Cisco Talos, a threat intelligence group owned by networking giant Cisco, issued a report today that documents how victims’ computers are being hijacked to enrich the attackers through cryptocurrency mining, which takes a lot of computing power.
Cisco Talos has observed botnets consisting of millions of infected systems, which could in theory be leveraged to generate more than $100 million per year. And as long as users are clueless, that would turn into recurring revenue for the cryptocurrency thieves.
The report shows how quickly the threats from hackers are evolving. A couple of years ago, hackers used the anonymity of Bitcoin to launch ransomware attacks that couldn’t be easily traced. Now that cryptocurrencies such as Bitcoin have exploded in value, these hackers are switching tactics again to make money from the exponential growth.
“Over the past several months, Talos has observed a marked increase in the volume of cryptocurrency mining software being maliciously delivered to victims,” the report said.
In the new offensive, the attackers are no longer penalizing victims for opening an attachment or running a malicious script by taking systems hostage and demanding a ransom. Now attackers are actively leveraging the resources of infected systems for cryptocurrency mining. Cryptocurrency has a value that can be unlocked through mining, or solving large mathematical calculations to discover keys that unlock an additional unit of the currency. Users can employ pools of high-powered computers to mine for the currency.
In these cases, the better the performance and computing power of the targeted system, the better for the attacker from a revenue-generation perspective, the report said. Internet of things (IoT) devices — which make everyday objects smart and connected — aren’t directly monitored by users. But they’re useful for attackers to hijack precisely because they have processing power that users don’t monitor.
The power of each IoT device is weak, but the number of exposed devices that are vulnerable can add up to a lot of collective processing power, and the cyber criminals are trying to marshal those resources.
Cisco Talos estimates that an average system would generate about 28 cents of Monero, an untraceable cryptocurrency, each day. If you had to buy a $3,000 computer to do that mining, it would be a long time before you paid off the investment. Electricity costs are also not trivial. But a hacker who has enlisted 2,000 victims through a phishing scheme could get essentially steal the computing time of the users to solve about 125 hashes per second per machine. Those 2,000 victims’ computers could generate $568 per day, or $204,400 per year.
The attackers can proceed with minimal effort, following the initial infection. More importantly, with little chance of being detected, this revenue stream can continue for a long time. Add to this the fact that cryptocurrency values are going up at an exponential rate, and you can see how the scheme pays off. Monero itself saw a 3,000 percent increase in the past 12 months, from $13 in January 2017 to $300 now. Bitcoin’s value was halved in the past month, but it is still valued at $10,945, compared to $930 at the beginning of 2017.
The main problem is that users may not notice the theft of computing time. If someone stole your credit card number, you would notice the unauthorized purchases piling up, but in this scenario you may be none the wiser.
“Attackers are not stealing anything more than computing power from their victims, and the mining software isn’t technically malware. So, theoretically, the victims could remain part of the adversary’s botnet for as long as the attacker chooses,” the report said.
While ransomware exploded due to anonymous collection techniques, only a small percentage of infected users actually paid the ransoms demanded by attackers, the report said. And cybersecurity software has gotten better at detecting and blocking the attacks. Bitcoin mining has been going on since 2009, but it is getting progressively harder, requiring more hardware to yield currency rewards.
“Currently, the most valuable currency to mine with standard systems is Monero (XMR), and adversaries have done their research,” the report said. “In addition, Monero is extremely privacy-conscious, and as governments have started to scrutinize Bitcoin more closely, Monero and other coins with heavy emphasis on privacy may become a safe haven for threat actors.”
The hijacking of a pool of computers is similar to what happens with Distributed Denial of Service (DDoS) attacks, where 100,000 machines flooding a target with bogus traffic becomes much more effective than a single system sending bogus traffic, the report said.
Pool-based mining is coordinated through the use of Worker IDs. These IDs are what tie an individual system to a larger pool and ensure that any mined coin associated with a particular Worker ID is delivered to the correct user. These Worker IDs have allowed Cisco Talos to determine the size and scale of some of the malicious operations, as well as providing an idea of the amount of revenue adversaries are generating.
To hide their tracks, attackers can limit their usage of a CPU to prevent users from noticing. They can also use the computer when it goes into sleep mode and isn’t being used by its owner. Cisco Talos has witnessed both Chinese and Russian criminal groups discussing the use of crypto mining, with the first observed Chinese actors talking about mining botnets in November 2016.
“From a Russian underground perspective, there has been significant movement related to mining in the last six months,” the report said. “There have been numerous discussions and several offerings on top-tier Russian hacking forums. The discussions have been split, with the majority of the discussion around the sale of access to mining bots, as well as bot developers looking to buy access to compromised hosts for the intended purpose of leveraging them for crypto mining.”
One of the things the groups liked about this system was that it doesn’t require command and control attention. It’s a hands-off infection that generates consistent revenue until it is removed.
The attackers infect machines in a variety of ways, including email spam campaigns, exploit kits, and directly via exploitation. When users open emailed attachments, such as Word documents, they inadvertently download a malicious macro or compressed executable that initiates the mining infection.
Cisco Talos found a large number of enterprise users running miners on their systems for personal gain, most likely without the support of their employers. As a result, each enterprise has to figure out how to deal with miners, and whether they should be judged as malware.
“Cryptocurrency miner payloads could be among some of the easiest money makers available for attackers,” the report said. “This is not to try to encourage the attackers, of course, but the reality is that this approach is very effective at generating long-term passive revenue for attackers.”
The report concluded, “The number of ways adversaries are delivering miners to end users is staggering. It is reminiscent of the explosion of ransomware we saw several years ago. This is indicative of a major shift in the types of payloads adversaries are trying to deliver. It helps show that the effectiveness of ransomware as a payload is limited. It will always be effective to ransom specific organizations or to use in targeted attacks, but as a payload to compromise random victims its reach definitely has limits. At some point, the pool of potential victims becomes too small to generate the revenue expected.”
By contrast, the report noted that “crypto miners may well be the new payload of choice for adversaries. It has been and will always be about money, and crypto mining is an effective way to generate revenue. It’s not going to generate large sums of money for each individual system, but when you group together hundreds or thousands of systems it can be extremely profitable. It’s also a more covert threat than ransomware. A user is far less likely to know a malicious miner is installed on the system, [even if there is] some occasional slowdown. This increases the time a system is infected and generating revenue.”
The Cisco Talos post was written by Nick Biasini, Edmund Brumaghin, Warren Mercer, and Josh Reynolds, with contributions from Azim Khodijbaev and David Liebenberg.