Interview Selects 4.3.20
Ep 11 | 4.3.20

Craig Williams from Cisco Talos on the Panda cryptominer.


Dave Bittner: And joining me once again is Craig Williams. He's the head of Talos outreach at Cisco. Craig, it's always great to have you back. You and your team recently published a blog post - it's "Cryptocurrency miners aren't dead yet: Documenting the voracious but simple 'Panda.'" Take us through - what are you guys tracking here?

Craig Williams: Well, basically, Panda is the name we're giving the actor behind this particular campaign. Now, like a lot of actors we've seen over the last - I don't know - let's call it 18 months, this one's decided that the way that they're going to monetize their malicious behavior is through cryptomining. Now, you know, some people may not be super familiar with cryptomining if they've lived under a rock for the last year... 

Dave Bittner: (Laughter). 

Craig Williams: ...So in the event you've escaped from a cave or some sort of government facility, the reason malware authors turn towards cryptomining is because, unlike ransomware or other profitable means, it's relatively easy to get away with, right? Most people are never going to know if a cryptominer has been installed in their network. 

Dave Bittner: Right. 

Craig Williams: And because there's no damages, law enforcement is not going to put it anywhere near the top of their priority list. I mean, if you think about it - right? - what's the actual damage caused to most networks from cryptomining? Well, it's going to be processor usage, some - I guess you could argue power consumption. 

Dave Bittner: Right. 

Craig Williams: That's really hard to assign a number to. And without that number, law enforcements are really going to turn a blind eye to it. So from an adversary's perspective, cryptomining - basically significantly less risk, no damages, so not really furious victims coming after you, and it's going to be a slow, steady and consistent payout. And because no one knows that they're infected, well, it's going to keep paying out for the foreseeable future. 

Dave Bittner: What are some of the specifics of Panda? What's unique about it? 

Craig Williams: Well, you know, there's not a ton that's unique here. It's another cryptomining malware that basically looks for cryptomining malware so that it can be the only one, which I, of course, always enjoy the bad guys when they close the door after them and kick everybody out. 

Craig Williams: (Laughter). 

Craig Williams: The OPSEC around Panda is not amazing - you know, similar TTPs throughout their campaign, and some of the infrastructure was even reused. But it's important to realize that even though this seems, you know, relatively low sophistication-wise and benign, it is using relatively sophisticated means to spread, right? It's using Mimikatz and things like that. And so it kind of goes back to some of the good, old-fashioned ways to secure your Windows systems. Don't have SMB1 exposed, right? If you don't need it, don't have it on. Definitely don't have it exposed to the internet. And make sure that you're patching, right? I mean, a lot of the issues that it's taking advantage of, you really shouldn't be vulnerable anymore, particularly with modern defensive software. 

Dave Bittner: Now the fact that you all have named this Panda, is that a little tip of the hat to where you might think it be originating? 

Craig Williams: We would never do that. That's so silly. 

Dave Bittner: I see. Of course, right. How silly of me to even suggest it. 

Craig Williams: (Laughter). 

Dave Bittner: Let's move on then. What sort of prevention methods should should folks have beyond the basics that you just outlined? I mean, is this an easy one to detect? Or how stealthy is it? 

Craig Williams: Well, you know, in the past, we saw this use open-source frameworks that were really popular in China of all places. And so it's that kind of software. It's Windows. Basically if there are known vulnerabilities and public exploits, it's potentially going to be a vector. Combine that with, you know, traditional brute-forcing through things like Mimikatz, and it becomes very effective. And so, you know, I would make sure that people look at work boxes are talking to what, right? You know, potentially one of your boxes shouldn't be logging into all the others as administrator. Hopefully you have NetFlow or some other tool to look at. And make sure you turn on automatic patching, even in your open-source software if it's available. 

Dave Bittner: All right, well, the blog post is titled, "Cryptocurrency miners aren't dead yet: Documenting the voracious but simple 'Panda.'" Craig Williams, thanks for joining us.