Although the cryptocurrency market may have lost ~70% of market cap from a high of $835B, it hasn’t stopped malicious actors, ravenous for the next bull run, from mining cryptocurrency. The birth of cryptocurrency has altered the threat landscape making it easier for malicious actors to get paid and remain anonymous. The days of cryptocurrency being used as a ransomware payment vector are not over. Cryptojacking is on the rise and arguably more profitable than ever, especially if undetected in your environment.
The cryptocurrency market is volatile, where daily 30% swings are not uncommon. This is a double-edged sword for malicious actors. Payouts could drastically increase or decrease in value over the course of months, weeks, or even days. This can enable malicious actors to purchase extra hosting infrastructure, buy additional malware programs on the dark web, buy a Lamborghini Sesto Elemento, or even walk away penniless if the market doesn’t move in their favor. The potential for 2x, 5x, or even 100x returns on the cryptocurrency obtained from exploiting your environment is entirely within possibility.
One of the more nefarious cryptojacking exploits is the hijacking of AWS instances with weak or non-existent Kubernetes passwords which allow actors to easily penetrate instances and set up cryptomining software. The “WannaMine” malware utilizes a tool called Mimikatz that harvests credentials from a computer’s memory and quietly mines Monero in the background. EternalBlue exploits that have been patched do not affect the operation of the miner and allow it to evade detection.
As daunting as this sounds, there are good guys fighting as well. Cisco Umbrella highlighted inMounting Mining Mayhem that categorized cryptomining sites are “potentially harmful.” With the mounting popularity of cryptomining as a vector for malicious and legitimate mining activity, we have created a new security category dedicated to cryptomining that aims to keep your corporate environment safe from unwanted mining activities.
Published with permission from blogs.cisco.com