The Trending Target of Crypto Miners: Your Web Application

At the beginning of every year, the media covering cyber security is hot on predictions for the coming year. Just Google “cyber security predictions” and you’ll see what I’m talking about. Most of you may already know this is an annual ritual in the industry. However, cyber security does not have a monopoly on predictions in the media. Have you heard anything recently about crypto currencies? It too enters the new year with its share of “cryptocurrency predictions”.

Unless you’ve been able to successfully avoid all media outlets on the Internet, I’m sure you’ve heard something about crypto currency. Perhaps you even ventured out and acquired some Ethereum, Ripple, or Monero for yourself. The impressive explosion of crypto currency valuations brought about more than a broader interest, but a rapid mania in this digital asset¹. Do you sense some predictions coming in this post?

Fortunately, this post is not about more predictions for 2018. However, this post is about a trend that has been a bit more noticeable as we’ve kicked off the new year. This trend has to do with both cyber security and crypto currency. It’s no surprise to anyone that where there is money, there will be the need for security. I can’t go on without referencing the well-known quote by Willie Sutton when asked why he robbed banks, “I rob banks because that’s where the money is.

The trend I want to highlight is the use of remote code execution (RCE) exploits in web applications, to mine crypto currency. In this scenario, as a victim, the attacker is not after any digital assets you have, e.g. customer data, credit cards, trade secrets, etc. The attacker is after your computer power. Now, attackers stealing CPU to mine crypto currency isn’t really all that new. However, the recent mania has sparked an incredible amount of interest in profiting in the approximately $568 billion crypto currency market². Also, as may or may not realize, there are over 1400 coins in the market. This compounds the opportunity for profit.

The first incident…

PeopleSoft and WebLogic app servers, as well as cloud systems using WebLogic, hacked and used to net some $226K in digital currency.

Article published: 1/10/2018, Dark Reading.

CVE exploited: CVE-2017–10271, CVE entry created 06/21/2017

The second incident…

Ruby RCE pushing Monero Coinminer

Article published: 1/11/2018, Certego.net.

CVE exploited: CVE-2013–0156, CVE entry created 12/06/2012

The third incident…

Struts and DotNetNuke Server Exploits Used For Cryptocurrency Mining

Article published: 1/19/2018, Trend Micro Blog.

CVE exploited: CVE-2017–5638, CVE entry created 01/29/2017 and CVE-2017–9822, CVE entry created 06/22/2017

Other incidents…

It’s not just web applications being targeted. Malware campaigns have been focusing on crypto currency. One recent example is published by Palo Alto Network’s Research Center.

And of course, this list wouldn’t be complete without the Willie Sutton style heist, “Bitcoin Exchange Hit By Armed Robbers in Thwarted Theft

What’s the take away?

With this recent trend, the attack surface hasn’t expanded or changed in any way. In the three incidents referenced above, the attackers were targeting known vulnerabilities in web applications. What I suggest has expanded is the threat actors and their motivation to target your applications and infrastructure. The number of threat actors you face has expanded because there are individuals with the capability to launch RCE exploits against your web applications that were not previously motivated to do so. But with new motivation to get an instant payoff with low risk, these individuals are now your adversary.

In addition to these new threat actors, if your organization did not view nation-state actors as a high risk, your server compute power is now a target by nation states. The primary example being North Korea as they may be using crypto currency as a source of funding and to skirt around sanctions³.

What should you do?

Hopefully, you are already prepared your applications and infrastructure to defend against this expansion of threat actors. This means you have a vulnerability and patch management process in place. You perform application security reviews to identify and remediate critical vulnerabilities, like RCE. In addition, preparedness means having application and server monitoring in place.

The first layer of monitoring is the application layer, which provides visibility to attack and anomalous traffic. The second layer is monitoring application host resource consumption. In the case of crypto currency mining, are you monitoring for a rapid spike in CPU utilization across all your servers? If the answer is yes, then you are in decent shape to detect a successful attack, if not, you have some work to do.

There is also the question of the risk to your business. After all, if the breach only results in CPU consumption, at least it is not a loss of sensitive data. A few thoughts on this are:

  • If your operate in a cloud environment, and the CPU consumption goes on for a long period of time will you run the risk of an extremely high, and extremely unexpected, bill from your cloud provider.
  • The CPU consumption may cause a miserable experience for your application users. The application may be accessible, but effectively unusable.
  • The attacker may have motives beyond crypto currency mining. For example, they sell access to your servers for other malicious purposes. In addition, it could be difficult to prove they haven’t accessed sensitive data on your systems.

Conclusion

The trend of crypto currency popularity and demand is starting to pick up steam. Crypto currency is here to stay. As a result, the pool of capable threat actors will continue to expand. To defend your applications, infrastructure, and business you need a robust patch management process and monitoring capability. At the beginning of this post, I stated it would not contain more predictions. Well… I thought of one. I can predict that 2018 is going to be a very interesting year, for both cyber security and crypto currency.

  1. To get a sense of the mania just browse headlines, aggregated here https://foomoney.net/crypto. Disclaimer: this is a news aggregation site I publish, which also uses CoinHive to mine in your browser. This is part experimentation, and part me joining the mania. More about Coinhive here.
  2. Market cap as of this writing from https://coinmarketcap.com/.
  3. New Cryptocurrency Mining Malware Has Links to North Korea”, Dark Reading.
https://info.signalsciences.com/book