Original Post from Talos Security
As 2018 draws to a close, one technology has definitively left its mark on the year: cryptocurrencies. Digital currencies started the year out strong after a meteoric rise toward the end of 2017. Since then, it’s safe to say that cryptocurrencies have had a massive impact globally, especially on the threat landscape. However, 2018 is ending on a sour note for these currencies, as they have been in steady decline, ending in a sudden drop resulting in losses in excess of 75 percent of their value from the highs of late 2017 and early 2018.
Malicious cryptocurrency mining was the new payload of choice for adversaries and recurring revenue, dislodging the lump-sum payouts of threats like ransomware atop the threat landscape.
But the sudden collapse of the market, after a gradual decline, raises the question about how the threat landscape would be impacted, if at all. Despite conventional wisdom, Cisco Talos hasn’t seen a notable shift away from cryptocurrency mining. We have seen pockets of movement, but they have lived explicitly in the email space where both threat distribution and botnets play a crucial role. As 2018 proceeded, adversaries have shifted payloads in the email space away from cryptocurrency mining and toward more modular threats like Emotet and remote access trojans (RATs). Talos is also releasing another blog today outlining some of the campaigns we’ve seen recently from some well-known actors who have a history with cryptocurrency mining.
After reviewing the real-world impact and associated data, it appears that cryptocurrency mining is not slowing down, and if anything, could be slightly increasing in frequency for certain aspects of the landscape. As we move into 2019, it’s likely that the payloads of choice will continue to diverge between different aspects of the threat landscape. Regardless, enterprises need to be prepared to deal with malicious or unauthorized cryptocurrency mining activities on their respective networks, because it’s not going away — at least not yet.
It’s clear, as far as the threat landscape is concerned, 2018 was the year of malicious cryptocurrency mining. Cisco Talos first covered cryptocurrency mining in early 2018, and again at multiple points throughout the year, including a whitepaper discussing the threat and associated coverage. In these attacks, malicious actors inject malware into systems and steal their computing power to “mine” cryptocurrencies. If done on a large scale, this kind of attack could cost enterprises a great deal of energy and resources. And for a personal user, it could significantly slow down their computing power and speed.
At the time, it was clear that actors had started to push quickly into primarily Monero-based cryptocurrency mining as a payload of choice. Since then, we have witnessed one of the most significant shifts in the threat landscape in years — and perhaps ever. Adversaries have gone all in on the idea of the recurring revenue model of cryptocurrency mining instead of the lump-sum gamble that ransomware provided so effectively throughout 2016 and 2017. In ransomware attacks, attackers asked for infected users to pay them a sum of money in exchange for the return of their information. But with miners, the attackers see revenue on a daily basis from their activities.
This mass migration does have its risks, however. Primary among them is the value of the currency being mined. When we first wrote about malicious cryptocurrency mining, an adversary could hope to make about $0.25 per day for a basic home computer. As of the writing of this blog, that value has cratered to a little more than $0.04 per day for that same computer. As you can imagine, this has had an impact on adversaries’ bottom lines. It now takes almost six systems to create the same revenue that one generated previously. Before we get too deep into the potential impact, let’s discuss the size and scope of the role that cryptocurrency mining had on the threat landscape in 2018. One of the most interesting aspects is how widely this shift was adopted across multiple different attack avenues including spam, web and active exploitation.
Spam and the mining effect
One of the best indicators for how a threat is affecting the threat landscape is spam levels. Much of the spam we see on a daily basis is being generated from botnets, and those botnets are undertaking that activity to generate revenue. This is where we have seen some shifts throughout the year of cryptocurrency mining. As you can see, below the amount of overall spam, excluding two extremely high volume campaigns early in 2018, is down.
Late in 2017 and continuing into early in 2018, spam levels were dropping.Since then, they have begun to rise, and are now approaching the levels seen through most of 2017. This is indicative of botnet functionality shifts where some of the systems that had previously been used to send spam may have been altered to instead work on cryptocurrency mining. There have been reports throughout the past year of botnets such as Necurs experimenting with cryptocurrency mining instead of spam generation. However, there are two sides to the spam landscape, and they tell two different stories. One side are those that control the botnets that send spam, the other uses spam as a mechanism to spread their malware.
Adversaries that deliver their malware via spam are a different demographic, and as such, the landscape appears slightly different. Early on in 2018,Talos saw near constant campaigns delivering malicious cryptocurrency miners directly or using a downloader. As the year progressed, and more recently as the price of cryptocurrencies began to waiver, we are seeing adversaries push into different areas, delivering different payloads.
Emotet became one of the big winners as cryptocurrency miners waned. We have seen Emotet continue to be delivered in large numbers when active. Emotet continues to be a highly effective, modular payload that contains several functions, now including ransomware. These types of modular malware frameworks that allow adversaries to deliver varied payloads are going to continue to rise in popularity, as the final payload can depend on a lot of external factors. Today, when looking at the spam landscape, you do periodically see campaigns delivering miners, but they are far less common than they were earlier in 2018.Now, you are more likely to find a RAT or modular threat like Emotet than a miner. Cryptocurrency mining has had a marked impact on the email threat landscape in 2018, but email is just one of the key indicators on the threat landscape. Next, we’ll take a look at web-based attacks.
Web-based attacks continue to be heavily leveraged by attackers to compromise systems around the world. In previous years, exploit kits and malvertising campaigns were used to distribute ransomware and other threats to compromised systems. Since late 2016, there has been a marked decline in global exploit kit activity. Of the campaigns that remained, malicious cryptomining payloads were being distributed commonly via downloaders, rather than some of the other malware that had been historically associated with these campaigns. Along with exploit kits and malvertising, cryptocurrency mining malware was also frequently seen being delivered through fake Flash Player updates. In these attacks, victims are prompted to update their version of Adobe Flash Player, but the malware downloads a payload used to infect systems and mine cryptocurrency for cybercriminals.
Likewise, “in-browser” mining such as CoinHive became popular with many websites using scripts embedded on web pages that cause visitors of the websites to mine cryptocurrency in their web browsers. Cryptocurrency mining became so mainstream in 2018 that some shareware applications were even prompting users to allow them to leverage their systems to mine cryptocurrency as a way to support the application’s developers. Regardless of the methodology, there is too much of an opportunity for adversaries to pass up. Malicious cryptocurrency mining can involve almost no additional communications, and in the case of in-browser or shareware-supported mining, it’s as simple as “some money is better than no money.” As long as there is money to be made, malicious or unauthorized cryptocurrency mining will be part of daily life on the internet. We’ve covered web and email, now let’s now turn our focus to more active measures that adversaries take with direct, active exploitation.
One unique aspect of malicious cryptocurrency mining is that the amount of revenue a compromised system can generate is directly related to the hardware that the system is running. Cisco Talos observed, for at least a year, as adversaries discussed the potential for malicious cryptocurrency mining and then implement those capabilities. Talos has seen countless examples of how active exploitation can play a significant role in malicious cryptocurrency mining.
From Apache Struts to Eternal Blue, Oracle WebLogic, and other widespread remotely exploitable bugs, adversaries have been actively exploiting systems to deliver hordes of miners. In some cases, adversaries added worming functionality — meaning it can self-replicate and affect other machines — to infect large swaths of machines as fast as possible. Regardless of the methodology, servers are a vital target for malicious cryptocurrency mining because of the increased revenue potential. This has mainly remained steady despite the volatility of the value in the currency itself. The fact remains that cryptocurrency mining generates revenue, and once an actor or group of actors has taken the time and cost to retool for a new threat, it’s going to take a lot to move them off of that particular payload. If there were to be a significant global shift in cryptocurrency mining, this would be the place that it would likely be most noticeable. Each area of the threat landscape has been impacted in some way by cryptocurrency mining, but the real-life impacts are where enterprises are most concerned.
For more detail on the progression of these campaigns over the past year, with a specific focus on these active exploitation campaigns, see our accompanying blog here.
One of the best indicators of where we are with a threat is the real-life impact. For this blog, there are two primary areas where that data will be: from the endpoint and the network. Without question, cryptocurrency mining has been the dominant threat on the threat landscape for much, if not all, of 2018. The most common alert we received in 2018 was related to cryptocurrency mining, its delivery, or its propagation by a significant margin. What’s even more interesting is it doesn’t appear to be fading, at least not yet.
When we began looking at the data, the expectation was that the overall amount of cryptocurrency mining activity would be decreasing in recent months, but that wasn’t the case. There has been a small decrease in the amount of cryptocurrency mining activity, but those have been pigeonholed into a couple of areas of the threat landscape. The most substantial decrease has been in the number of malicious spam emails. Earlier on in 2018, we would see campaigns running around the clock delivering cryptocurrency miners. By the end of 2018, that was not the case.Instead, it’s threats like RATs and Emotet that are dominating that particular landscape.
As you can see, there has been some variance in the number of events from week to week over the past six months, but generally, the trend line has held, and the overall volume of alerts has not changed significantly since June 2018.
Let’s start by looking at network-based detections.In this particular circumstance, we are looking specifically at cryptocurrency mining activity on the wire, and not the delivery or propagation of the miners. This is a clean look specifically at actual mining activity instead of the distribution. Notice that if you look at the trend line, levels have increased slightly dating back to June. So despite the fact that we do not see miners being pushed at the same level, specifically in the email space, the overall capabilities remain primarily static. This implies both long-term mining activity and the importance of active exploitation, brute forcing and web-based attacks to the threat landscape, specifically around malicious mining.
The endpoint data held steady for the most part but it does vary more widely from one day to the next. That could be the result of systems being shut down or cleaned at irregular intervals. Regardless, you do not see any significant downward movement, including the last month when the price of cryptocurrencies truly cratered.
Cryptocurrency price crash
The real driving factor behind this potential large-scale shift is the value of cryptocurrency across the board. It reached levels in late 2017 that were not thought possible a mere six months earlier. As that rise continued, extreme interest in cryptocurrencies rose along with it. Quickly, people that had invested thousands of dollars a few years prior were now knocking on the door of being millionaires. This also coincided with the rise of ransomware, since cryptocurrencies are the primary method of payment.
The benefits weren’t restricted to those that adopted the new currency early on. Adversaries and businesses alike found themselves sitting on sizable chunks of digital currency. Bad actors that were accepting bitcoin early on saw its value increase by tenfold, if not more, but there were always murmurs and skepticism around the meteoric rise in value.
Over the past six months, the value of cryptocurrencies had begun to fade, and over the last month-plus, the values have plummeted. At this point, most of the currencies have lost at least 75 percent of their peak values and late investors and adversaries may be paying the price.
Late in 2017, Bitcoin set an all-time high of nearly $20,000, and since then, it’s been a steady decline to a value of less than $4,000, a decline of more than 75 percent from its peak in December 2017.
Monero has followed a similar path, albeit on a smaller scale. Early in 2018, Monero prices hit an all-time high of just above $470 per coin and a steady decline has followed throughout 2018. The value has now cratered to below $55 a coin — an astonishing loss of 86 percent of its value in less than a year as of the time of writing.
Although it’s been a steady decline throughout the past year, the last month has been particularly brutal. Both Bitcoin and Monero have been hemorrhaging value in the past 30 days, and the effects are stark. Bitcoin has lost an improbable 40 percent of its value in the last month, only to be topped by Monero, which lost a staggering 50 percent of its value in the past 30 days.
Despite its recent collapse, it’s evident that cryptocurrency is here to stay and will remain a player on the threat landscape for quite some time. For adversaries using cryptocurrency for payments such as ransomware, it doesn’t have much of an effect, they increase the amount of coin they request to account for the decreased value.
Future of mining
Now that all the data has been discussed the real question remains: What does this mean for the future of mining?
The honest answer is we don’t know, but there is plenty of room to speculate. The first thing to realize is cryptocurrency mining is a large portion of the threat landscape, and it will continue to be, but the question is where. The tooling and methodology required to make the shift for a threat group doing things like active exploitation and brute forcing are going to be exceedingly different from those looking to compromise average users using threats like cryptocurrency mining, RATs and banking trojans, among others. As such, the outlook for their respective landscapes differs significantly.
Those groups that focus on active exploitation and brute forcing are all in on mining, and it will take some additional force to move them off of this payload, mainly because of the resources they’ve already committed. It takes time and effort to shift away from things like distributed denial-of-service and spam botnets to cryptomining. Many of these adversaries took the time and effort to shift away and focus on mining. A decrease in the value of the currency isn’t going to move them off of that.
Additionally, it’s a question of risk and opportunity. Conducting a campaign of malicious cryptocurrency mining is far less likely to draw the attention of a security team or law enforcement when compared to some of the noisier threats like ransomware that requires command and control, victim interaction and continued communications. Malicious mining, on the other hand, allows for somewhat stable revenue generation, despite being a potentially limited earning potential per system. Money is money, and if you are operating at scale and stealing all the resources, it’s primarily profit.
Malicious cryptocurrency mining is a massive part of the threat landscape in 2018 and appears poised to remain a significant player in 2019 and beyond. Despite the recent catastrophic price collapse of these currencies, it is still profitable in many circumstances. That does not mean that the collapse has had no impact —we’ve seen that it has had an impact on the volume of spam.
The data shows that this activity has been steady for the past six months and although there is a potential for a significant shift in the next six months, at least so far, it isn’t in the data. Time will be the true wildcard in how mining lives on. Given time, adversaries may find a more attractive target, but right now, there are not many options that generate reliable income, with minimal risk, and don’t require remote access of compromised systems. This is probably the biggest reason why mining isn’t going anywhere:It’s profitable. And because it’s easy, anyone looking to make money will be drawn to it.
The real question is: What’s next? What are the threats that enterprises should be preparing for today? Modular, flexible malware is likely the path forward as the avenues for monetization continues to change and evolve. Adversaries that are driven by monetary gain stand to generate the most revenue if they profile the end system, much like downloaders can and do today. If you compromise a gaming system or a high-end server a threat like a miner might be ideal. However, if you compromise a high-end laptop located in the U.S., you may decide ransomware is the best avenue, or if it’s part of a corporate domain, just monetizing the access might be preferred. Or when compromising an average computer in a developing country, a simple bot might be best to provide a foothold to propagate an actor’s malicious intentions or attack other systems and computers with an added layer of anonymity.
Regardless, it’s clear why adversaries desire this type of flexibility. As systems get faster and the ways that a compromised system can be monetized continue to grow, modular malware will rise in popularity.
Go to Source