In its “Cyber Attack Trends: 2018 Mid-Year Report,” security solutions company Check Point revealed that revealing that cyber-criminals are aggressively targeting organizations using cryptomining malware to develop illegal revenue streams. What is at threat in this situation is nothing but the cloud and multi-platform infrastructure of any organisation, as cyber criminals are taking over an enterprise cloud to exploit its computational power and grow their profits.
Maya Horowitz, Threat Intelligence R&D Group Manager and Tony Jarvis, Chief Strategist -Asia Pacific, Middle East & Africa, Check Point Software Technologies shared their viewpoints with DynamicCIO on how cryptomining attacks are impacting organisations today and how they should prevent this new kind of attack on their cloud infrastructure .
DynamicCIO (DC): What are the latest Cyber threats that enterprise need to be aware of currently?
Maya Horowitz (MH): The most prominent threat nowadays globally is cryptomining attacks. Noticeably, in
APAC, as mentioned in our report summarizing the first 6 months of the year, attacks on mobile devices are even more prominent than cryptomining attacks.
Tony Jarvis (TJ): While many headlines report newer threats because they are of particular interest to readers, it’s important to note that older threats continue to plague organisations for years after rising to prominence. The most prevalent threats we have seen over the last six months or so include crypto-currency miners and mobile malware taking the top spots. However, the remainder of the threats occupying our “Top 10 list” include a number of more general attacks or ones that have been around for some time. The lessons for organisation are clear: bolster security to withstand the newer attacks while ensuring they are well prepared against the attacks reported over the last few years.
DC: What is crypto-mining? How does a crypto-mining attack help a hacker or cyberjacker?
MH: Cryptocurrency mining is the method in which crypto coins are created – using computation power from any device to solve mathematic equations that will create additional coins in the blockchain.
In other words, electricity>computation>money.
Obviously, the electricity used in this process costs money; which is why threat actors have developed a method to leverage other people’s devices, computation power, and money, and mine for coins that will end-up in the attackers’ wallets. This is what we call crypto-jacking.
TJ: Crypto-mining is the act of taking over an infected machine’s CPU in order to release new cryptocurrency
into circulation. This is effectively the same as ‘minting’ new currency. The process is extremely computationally intensive, meaning many machines need to contribute their processing power to make this task possible. These machines are infected and controlled by the attacker, who reaps the financial gain once the cryptocurrency is ‘mined’.
DC: How is crypto-mining impacting organisations today? How big is this threat anyways?
MH: There are several ways in which cryptojacking can harm an organization. Computation power is limited, thus using it for cryptomining will harm other processes and create slowness and even denial of service to both servers and end-users. Computation costs money. This point gets stresses further now that we see hackers using Cloud infrastructure for their mining activity; Cloud has almost unlimited computation power and auto-scaling, which means hackers would get as much resources as they’d like, and the Cloud owner will get the bill. A cryptominer is a backdoor to the network. At any given time, it might download additional malicious code from its command and control server and install malware / steal sensitive data etc.
TJ: Since the process of crypto-mining involves taking over the CPU cycles of an infected machine, the performance of that device will be affected. Users will notice a slowdown in performance, ranging from a slight degradation to overheating and potential damage should 100% of the CPU be consumed. If servers are affected, resources such as websites may no longer be available to users, resulting in lost revenue and customer dissatisfaction. The problem is exacerbated if the infection takes place in the cloud. Since cloud environments are designed to scale according to demand, new services can be automatically spun up when CPU usage rises, meaning significant costs for organisations at the end of their billing cycles.
DC: Report from Check Point shows that crypto-mining is increasing steadily, and it’s not just for bitcoin owners, so who are most at risk today?
MH: The risk of cryptojacking is for anyone, not only cryptocurrency owners. Anyone who has a computer / server / Cloud infrastructure / mobile phone – his/her device might be leveraged by hackers for cryptomining.
TJ: We see a very similar trend between crypto-mining and ransomware in terms of potential victims. Just as individual users and large organisations alike were potential targets for ransomware attacks, the same holds true for crypto-mining threats. Any device capable of performing mathematical calculations contribute to the attacker’s goals, meaning smartphones, tablets, mobiles and servers are all desirable. The performance of each device doesn’t matter greatly, as each infected machine is grouped along with thousands of others such that even modest processing capabilities scale to become a powerful collective crypto-mining force.
DC: What are the measures an enterprise to look at to prevent crypto-mining attacks? Does the enterprise have to have a special security strategy to avoid crypto-mining?
MH: All typical security measures that protect against malware apply against cryptomining. Like installing security patches –so that hackers won’t have easy ways to get to one’s devices and install the miner; Virtual patching with IPS as an up-to-date IPS will stop such attacks at the entry point; Anti-mining browser extensions. It’s just like ad-blockers; Zero day protection as hackers constantly release new versions of their attacks to avoid detection, it is important to use a security product that identifies the malicious behavior on zero day; and Anti-Bot – assuming some of the attacks will make it to the devices, an anti-bot security product will deny the malware from getting commands and running the malicious code. Remember, these protection measures should be taken across all environments, from “classic” networks within the parameter, the endpoints, Cloud, mobile devices. They’re all vulnerable to these attacks (and more).
TJ: Addressing the problem from a technology perspective, there are two ways organisations can protect against crypto-mining attacks. The first is to employ specific protections that look for crypto-mining malware and prevent such processes from running. The second is to address how such malware makes its way onto affected machines. This could be via malicious websites or phishing emails being sent to users containing specific links or attachments. It is important for organisations to address the issue from non-technology angles as well. For example, employee training covering safe Internet usage guidelines and how to identify fraudulent emails can greatly improve security efficacy.
DC: What kinds of solutions are available today to prevent such an attack? How is Check Point developing solutions to prevent this kind of cyber security threat?
MH: Check Point Infinity infrastructure protects our customers from all attacks, across all platforms, from the mobile phone in our pocket to the servers on the Cloud. It implements all needed security against cryptojacking, alongside other attacks such as ransomware, banking Trojans, info-stealers and others.
TJ: Complete protection against such attacks requires a comprehensive approach. This begins with getting the basics in place, such as IPS protections with up-to-date signatures that are capable of patching the systems behind them. Newer threats require sandboxing capabilities to determine if previously unseen files perform malicious activities. Organisations need to also bear in mind that their attack surface makes them increasingly vulnerable to such threats. For those with a cloud presence, dedicated protections for such environments do exist and go above the typically minimal security provided by cloud vendors in order to keep organisations safe. As threats continue to evolve and target a growing number of vectors, Check Point is committed to meeting the security needs faced by today’s enterprises.