Research Saturday 10.6.18
Ep 56 | 10.6.18

Cryptojacking criminal capers continue.

Transcript

Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday presented by the Hewlett Foundation's Cyber Initiative. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:26] And now a moment to tell you about our sponsor, the Hewlett Foundation's Cyber Initiative. While government and industry focus on the latest cyber threats, we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges for the benefit of societies around the world. Learn more at hewlett.org/cyber.

Dave Bittner: [00:01:02] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data - all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.

Ryan Olson: [00:01:42] So we've seen attacks that involved cryptocurrency mining since basically the beginning of cryptocurrency mining.

Dave Bittner: [00:01:48] That's Ryan Olson. He's the Vice President of Threat Intelligence for Palo Alto Networks' Unit 42. The research we're discussing today is titled "The Rise of the Cryptocurrency Miners." It was originally authored by Josh Grunzweig.

Ryan Olson: [00:02:02] People would try to install a miner - a program that actually performed all the cryptocurrency mining calculations - on somebody else's computer to make use of their CPU power. But they weren't very common until around late last year. Sort of the end of 2017 and the beginning of 2018 are when we started to see this big rise. And it was really pretty well-aligned with the rise of Bitcoin and other cryptocurrency prices at that time. In November of last year, Bitcoin was shooting up close to twenty thousand dollars per coin, and other cryptocurrencies were rising right along with it.

Ryan Olson: [00:02:35] And as those prices rose, we started seeing attackers - who had previously been launching a lot of ransomware attacks, other things that they could use to make money in a large, wide-scale attack - shift to instead installing programs that would mine cryptocurrency. And then we started seeing more of that adoption throughout 2018, and we're still seeing quite a bit of it today. Even though the prices have come down quite a bit from where they were late last year, they're still a lot higher than they were two or three years ago, and it's still very profitable for them to mine cryptocurrency - not necessarily Bitcoin, other coins, especially a big one that's called Monero - mining that rather than launching other kinds of attacks.

Dave Bittner: [00:03:13] So let's, again, you know, just sort of addressing the basics here, when we say that someone is cryptojacking and crypto-mining, what are we talking about?

Ryan Olson: [00:03:21] So, when it comes to the way most cryptocurrencies work, they rely on these things called blockchains. And the way the block chains operate is it's distributed ledger, and every time someone wants to transfer some part of the coin to another part of the coin, some calculations have to be performed as this proof-of-work to confirm that this was actually a legitimate transaction. And that's what we call mining.

Ryan Olson: [00:03:42] And the reason we call it mining is, through the process of running all those calculations, there's a reward at the end. The first person who solves that little mathematical problem correctly first, they get some of the cryptocurrency as a reward. So they might get Bitcoin, they might get Monero, just depending on who they're actually mining for.

Ryan Olson: [00:03:59] And because of this, there's huge server farms around the world that are mining all these different kinds of cryptocurrency. And they're using both regular CPUs, like the kind in your computer, as well as specialized hardware to do this as fast as possible because they want to win the race. And what we've seen from an attacker's perspective, is people trying to co-opt your CPU - or your GPU, in some cases - to make use of that processing power to mine coins on their behalf, so that they can get that reward rather than somebody else.

Dave Bittner: [00:04:29] So can you describe to us, what are the range of ways that they would get on my computer or attack my enterprise's system to be able to do this sort of thing?

Ryan Olson: [00:04:38] So there's really two primary ways that we see what I would refer to as illicit crypto-mining - you could call it cryptojacking, but sometimes that gets confused with stealing cryptocurrency from other people - but sort of the illicit process of mining coins. And one is through your browser, and the other one is by hijacking your computer with malware.

Ryan Olson: [00:04:56] So the browser-based ones are relatively straightforward. Someone inserts some JavaScript into a web page, and when you're visiting that web page, in the background - you don't see it visibly - there is cryptocurrency being mined. Your CPU is being used just by your browser to try and mine cryptocurrency.

Ryan Olson: [00:05:13] And this was originally started as a way for people to, you know, make money off of views to their website that didn't require them selling ads. That sort of made sense. You know, you loan a little bit of your CPU power while you're visiting someone's website. If they tell you about, it that's totally OK. They can say, we're not going to show you any ads but, you know, we're going to use a little bit of your CPU time while you're on our page. And if it's done upfront like that, then it's OK.

Ryan Olson: [00:05:37] But we saw a lot of injections of JavaScript into pages, without people's knowledge, that was really just stealing their CPU time. Which means their power, as well as, you know, wear and tear on their computer to generate currency for other people. So, JavaScript crypto-mining, that's one sort of big category that we see.

Ryan Olson: [00:05:54] The other one is what I'd say is executable-based crypto-mining, where the same way that someone would infect your computer with a piece of malware - be it ransomware or a banking Trojan or something else - they use the same techniques, but the eventual payload, the thing that's actually going to do something on your computer, instead just mines cryptocurrency. And it mines it on behalf of the attacker so that they can make money. Those are our two big categories.

Dave Bittner: [00:06:17] Let's dig into some of the research that you did here. You identified a high number of unique samples of cryptocurrency miners. Can you take us through what you found?

Ryan Olson: [00:06:27] Yeah, so Palo Alto Networks operates a very big platform, a security platform, to defend all of our customers. And one component of that collects malicious executable files. When they're passing through our firewalls or they're running on hosts that have our agent installed on them, we can look at them and determine if they're malicious or if they're legitimate files.

Ryan Olson: [00:06:47] And late last year we started seeing an uptick in the ones that were performing these cryptocurrency mining activities. So we started digging into them more closely and trying to understand sort of some stats related to them. How common are they, which currencies are being mined the most, and really how big of an impact is this? And what we found was they were very common. We were starting to see them displace a lot of the ransomware attacks that we've been seeing since, you know, 2013 forward.

Ryan Olson: [00:07:11] And the currency we saw most commonly mined is called Monero. And that's for a few different reasons. Monero has a couple -there's tons of cryptocurrencies out there. Hundreds of them. Only a few of them have, you know, enough popularity that they have a lot of value, but Monero is one of them. And the reason that it has value, people are interested in it, is it has a couple interesting properties.

Ryan Olson: [00:07:31] One is Monero is a closed blockchain which makes it so - with Bitcoin, that has an open blockchain, you can see every single transaction. I can know that one wallet transferred, you know, part of a coin to another wallet. I don't know who owns those wallets necessarily, but if I own one of them and I know who owns the other one I can see all the transactions related to them. Monero is closed, so you can't actually go and see how those transactions operate. They've built it with privacy in mind. That was the goal.

Ryan Olson: [00:07:56] The second thing is that Monero was designed so that the calculations that you have to perform to mine the coins are very hard to build into specialized mining equipment, like an ASIC or special hardware. So instead, Monero is very effective to be mined on the regular, you know, Intel CPU that's inside your laptop.

Ryan Olson: [00:08:15] And because of those two things together you have a currency that's very privacy-focused, so if someone does get coins that were mined illicitly, it's harder for someone to track down who actually owns them. And second, they can actually mine them on CPUs you can infect and actually make good money, made it by far the most popular cryptocurrency that we're seeing mined today, much more than Bitcoin.

Dave Bittner: [00:08:37] Now, you did some interesting detective work when it comes to digging up some of these Monero statistics, despite it being privacy-based or privacy-focused, I suppose, you were able to still figure some things out.

Ryan Olson: [00:08:51] Yeah. So, first I'd like to say that the researcher behind all this his name is Josh Grunzweig. He's a member of Unit 42 at Palo Alto Networks, and he did all of this digging and it was fantastic work. And what Josh figured out was - and this is relatively straightforward - but, even though the wallets are secretive, you can't see the transactions from wallet to wallet, the way that the mining system works is that people mine all these computers together into what's called pools. Pools of miners who are all working together.

Ryan Olson: [00:09:19] And the reason for that is if you were to just run a single computer, and you're trying to mine the next block in the blockchain for Monero, the chance of you being successful is extremely low on a single computer, because there's so many other computers that are competing and it's just one system that actually gets the reward, and those rewards only come out every few minutes. So you can spend a lot of time and a lot of power and not get anything.

Ryan Olson: [00:09:42] So instead, people combine together into what we call mining pools. So if you get, let's say, ten thousand computers all together into a mining pool, and you're all working together, and you agree that, based off of the amount of calculations that you performed, you're going to split the reward evenly across your pool, then you can get a much more consistent return.

Ryan Olson: [00:10:01] So what the people who are running these illicit cryptocurrency mining attacks were doing is actually working inside these pools. Which means if you can find information from the pool, you can say, look at the malware and see which pool it's working with, and look at the identification number that's actually coming in the miner - it has to tell the pool, hey I'm this I.D. number, so that it can actually get credit for its mining operations - we can actually find out from the pool how successful each of those miners was.

Ryan Olson: [00:10:29] So we would go and look at all the executables that we saw coming in through our platform, look at the cryptocurrency mining pool they were using, look at the IDs that were being used by those individual miners, and then extract out how much have they actually mined? How much have they made? Which is how we were able to determine the total number of XMR - that's the term that we use for Monero, the Monero coins - were attributed to those miners, and to get basic ideas about the value of those coins as well.

Dave Bittner: [00:10:54] And it's it's not a small number. Take us through, what were the total XMRs, and what does that add up to in terms of dollars?

Ryan Olson: [00:11:03] Yeah, so, I mean, the price of the cryptocurrencies vary over time. Back when we were first calculating all of this, this was in May, we've seen the total value of all the XMR was about $143 million US dollars. This was about eight hundred thousand or so XMR that had been mined at that point and the value of the currency was around $180. The price is a little bit lower now, but - it's actually about half what it was at that time, because Monero has seen a drop off, along with Bitcoin and some other coins - but no matter what, we're talking about tens of millions of dollars, and if they actually exchanged their Monero at that time for US dollars, then they made that money, and they've got it in another kind of currency which might not have lost as much value.

Dave Bittner: [00:11:45] Now, what is your sense for what kind of margins they might be running at? I mean is this - obviously, it's profitable enough that they're doing it. But do you have any sense there?

Ryan Olson: [00:11:54] We don't know exactly what their costs are. Generally, when we think about cryptocurrency mining margins, we're thinking about, you've got to buy hardware, and then you've got to power that hardware, and cool it, and everything else.

Dave Bittner: [00:12:04] Right.

Ryan Olson: [00:12:04] So that for, you know, mining Bitcoin there's a lot of expense in that. In this case, they are stealing other people's power and their hardware. So they're using somebody else's laptop, somebody else's server, whatever it is that they were able to infect. And because of that, their cost is really more of an opportunity cost of what could I have done with that compromised computer as an alternative to mining Monero?

Ryan Olson: [00:12:29] So, if we think about it as a ransomware attacker, previously they would have held that computer for ransom and said, you know, you need to pay us $500 in Bitcoin or possibly another cryptocurrency, and if you don't, we won't give you your files back. They probably could have got five hundred dollars in a small fraction of the total number of infections. Not everyone pays. Some people have backup. Some people just can't get the currency to pay for whatever reason. So some fraction of that five hundred dollars per system.

Ryan Olson: [00:12:57] So they have to do that calculation of what would my return have been on a host if I could have used it for an alternative purpose, like ransomware, compared to running this miner for a certain amount of time. And that involves, how do I keep my miner on the host as long as possible and keep it stealthy? Because if it only mines for five minutes, you're not going to make very much money. If it mines for a year, that could be a really big payoff for the attacker compared to what they might have made on the same host for ransomware.

Ryan Olson: [00:13:24] And the second thing to consider, when it comes to that ROI calculation compared to the tradeoff, is where is this computer located? And this is something that I think is most advantageous for the cryptominers right now. If you infect a computer with ransomware - and let's say it's, you know, in Bangladesh - you might infect a computer that the person who owns it might not have enough money to pay a ransom. They might not have any data on it that's really worthwhile that they are willing to pay for.

Ryan Olson: [00:13:51] But if you infect it with a cryptominer, it's the same computer. It still runs at the same clock rate as another computer in another place in the world, no matter who owns it and what kind of data is on it. Which means from an indiscriminate attack perspective, sort of just targeting as many systems as possible, you can be really effective with crypto-mining, and you just might not be as effective with ransomware.

Ryan Olson: [00:14:11] With ransomware, you've got to make sure you target the language correctly, you've got to make sure the person is capable of understanding the message of, hey, we're holding your files for ransom. You've got to make sure that they also then have money and are able to pay it up. And all of that has a cost associated with it, either time, or just sort of wasted infections, basically. So some attackers might be starting to choose, hey, if I know that the system that I'm going to infect is in a certain location or a certain type, maybe I install a miner on that, and I'll focus my ransomware efforts in places where people are more likely to pay up.

Dave Bittner: [00:14:45] It seems that the cryptocurrency mining is more of a nuisance problem, rather than the catastrophic problem that ransomware can be.

Ryan Olson: [00:14:55] Absolutely.

Dave Bittner: [00:14:55] If I have the cryptocurrency running on my system, I might not even know, and it's not going to be the bad day that the ransomware attack is going to be. It's not going to attract my attention and I'm not going to call law enforcement.

Ryan Olson: [00:15:06] Yeah. And that decreases the risk of running that attack. If you don't experience - if the victim doesn't experience the impact, or it's not an impact that they can relate to law enforcement and tell them what their actual cost was, it's much less likely that law enforcement's going to be able to go and pursue them, arrest them, put them in jail. And that's one of the big risks of criminal activity.

Ryan Olson: [00:15:26] And if you think about the history of attacks, this isn't really new. Ransomware is really one of the first malware which is really now sort of attack classes which is really in your face - like, shuts your business down, causes you immediate impact. If it was a banking Trojan that was, you know, stealing your credit card number when you logged into a website or when you went to go purchase something, you know, you don't feel that impact right away. You feel that impact shortly after when someone buys something, and maybe you have to get your money returned or maybe you're actually out the money, but it's a different kind of impact.

Ryan Olson: [00:15:56] If you go back even further, to the days of where we saw ransom - or excuse me, adware on a very frequent basis, it's much less common now. You know, that's the same kind of nuisance. It's annoying you. It is more in your face but you're just basically seeing ads, you're getting pop-ups, maybe your computer is sending out spam. It's sort of an impact that's behind the scenes. So I'd say what we're really seeing is sort of a return to the more stealthy attacks, and in this case, one that really has the least impact to the individual victim with a really high payoff still available for the attacker.

Dave Bittner: [00:16:25] Now, what are you all seeing in terms of the trend lines on this? Is it business as usual for these folks? Are they increasing, or have people been able to effectively keep them out of their systems?

Ryan Olson: [00:16:36] You know, it's not that hard to keep these miners out of your system. So if you think how it's being delivered - and I didn't really talk about that before, but the malware-based ones, the ones that are an executable running on your system - they're really being installed through the exact same means as ransomware and previous attacks, mostly through an email that you receive. That email typically has an attachment. The attachment might be an executable or it could be a Word document which then runs an executable. But it's the same delivery mechanism that we would see for all these other threats. So, from a security perspective, the things that you were doing to prevent a ransomware infection or a banking Trojan infection are very similar to what you would do to prevent a crypto-mining infiltration into your network.

Ryan Olson: [00:17:18] But we are still seeing it happen, and we're seeing the attackers sort of get more creative as well. Something that we looked into earlier this year were attacks against Cloud-based systems, where an organization has access to Cloud-based systems where they can spin up a virtual machine and run it for a period of time, and they just pay per minute or per hour for their CPU time. Attackers had accessed their API keys to be able to spin up these machines and to do so just to run cryptocurrency miners on them, which can be really effective and it could lead to a really big bill for the person who whose API key was stolen. But for the attacker, they get some really powerful virtual machines that can run for a little while and generate some possible currency for them.

Ryan Olson: [00:17:58] And in those cases, that's a much more specialized attack. That's not just the general sort of indiscriminate attacks that we normally see installing ransomware and now these other cryptominers. That's much more targeted at a specific organization where you know they've got that capacity available through whoever their public cloud provider is.

Dave Bittner: [00:18:15] Do you suppose we might see some policy moves to try to address this? I mean, you know, this money is going to Monero. Do you think we might see governments around the world say, hey, we appreciate this level of privacy here, but knock it off?

Ryan Olson: [00:18:30] You know, policies around cryptocurrencies, in general, have been in flux since the original implementation and introduction of Bitcoin. Different governments have tried to close them off. Some have done that successfully or at least somewhat successfully. But it's really hard to put these genies back in any kind of bottle. Because the systems are distributed, it's much harder to sort of cut them off. There isn't a central authority that you can go to and just say, hey, you need to really quit doing this. They have to take other actions to stop the people who are using it in their country from doing certain things, making potentially transactions or something else illegal.

Ryan Olson: [00:19:06] So I wouldn't expect to see a single currency like Monero targeted right away. But I can certainly see some attempts at policy changes that might make it harder for much more likely for legitimate users who are trying to use these currencies, than for the criminals who are generally not going to pay attention to the law anyway. Just because it's illegal - they wouldn't be doing this anyway if they were concerned about the fact that it was illegal in the first place.

Dave Bittner: [00:19:29] No, that's a really good point. Good insight.

Ryan Olson: [00:19:32] So two more things I'll just say on preventing your organization from being impacted by illicit cryptocurrency mining. So, generally the way that people find out about the fact that they have a miner on their computer is that their CPU is running really high. You know, their fans are on a lot more commonly or their computer or just feel sluggish. And I would say to anyone who is, you know, experiencing that - it might feel normal, but it might be worth checking to see, do you have a tab open that's on a web page which is using a lot of CPU time? Maybe just close your browser and see if that goes away, and run an antivirus scan to see if your system is infected. Those are things that you might want to do just because you're experiencing that high CPU time.

Ryan Olson: [00:20:12] And the other thing that especially enterprises can do is, if you don't want people mining currency inside your network, you should block the pools. So the way that the pooling system works for these miners is you have to access certain resources, certain domains, certain URLs for those pools. Blocking access to those is a great way to sort of cut off access to those hosts inside your network, which would prevent the miners from operating. You might still get an infection, but they won't use the same CPU time because they won't actually be able to report the fact that they are doing these calculations.

Dave Bittner: [00:20:44] One thing I've heard is that the miners have been evolving their code over time, for example, to perhaps not use a hundred percent of your CPU activity, to try to not have those fans spin up all the time and try to stay below the radar a little bit.

Ryan Olson: [00:21:00] Yeah, we've seen that in a couple cases. So we've seen some miners that are configured to use a much smaller portion of your CPU - maybe 40 percent - which won't push you up to that level of, hey, let's overheat and kick on our fans. And we've also seen miners that will look for a system that's not in heavy use right now. So it'll wait until maybe your screensaver kicks on, or maybe the mouse hasn't moved for a little while. And when that's happening, that's when they mine, and when it comes back to an active state where they know a person is using the computer, shut the miner off so that they're not found. Because an infection of a cryptocurrency miner that lasts for a year is much more valuable than one that gets found out in five minutes and gets shut off because you are a little too greedy

Dave Bittner: [00:21:42] Our thanks to Ryan Olson from Palo Alto Networks' Unit 42 for once again joining us. The research is titled "The Rise of the Cryptocurrency Miners." We'll have a link for the show notes. You can also find it on the Unit 42 blog.

Dave Bittner: [00:21:56] Thanks to the Hewlett Foundation's Cyber Initiative for sponsoring our show. You can learn more about them at hewlett.org/cyber.

Dave Bittner: [00:22:04] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com.

Dave Bittner: [00:22:12] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Editor is John Petrik. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.