One in five companies has already been hit by cryptocurrency mining malware

One in five organisations were hit by cryptomining malware in December, according to new figures that come in the wake of a crackdown by Japanese regulators after the $655m cryptocurrency theft from crypto exchange Coincheck.

That massive theft proved to be a key test of Japan’s fledgling cryptocurrency regulatory scheme, which was implemented last year to impose assurance on a market that has struggled with widespread fears of a bubble bursting.

Hackers’ focus on cryptocurrencies is “inevitable”, Gemalto CTO for data protection Joe Pindar said in a statement. “Yet, despite this increased attention, organisations dealing with cryptocurrencies are not adhering to the same measures that are applied in the finance and banking sectors….Had there been stricter security protocols in place on the “hot wallets”, through the implementation of authentication and access security controls such as two-factor authentication and the storing of encryption keys in hardware, this theft could have been prevented.”

With many companies still far from introducing such controls pervasively, malicious operators have been exploiting systemic weaknesses to reap their own rewards. For example, Proofpoint this week warned that Tor proxy has been flagged for diverting LockeR ransomware Bitcoin payments to its own wallets.

Cybercriminals’ growing interest in cryptocurrency, the lengths they will go to in order to mine it – and the fact that cryptocurrency’s design makes it harder to mine the more popular it becomes – have fuelled massive growth in cryptocurrency mining malware and bolstered the mandate for enterprises to formally address such exposures within their formal security plans.

Noting the use of novel payload delivery methods and lateral infection techniques, Check Point Software Technologies warned that 20.5 percent of the organisations it monitors had been hit by crypto-mining malware.

This malware has long leveraged widely available exploit kits or borrowed from other malware for drive-by infection of as many users as possible, although improving detection rates had seen declining use of exploit kits as many malicious actors shift to Web-based services that can load cryptocurrency mining malware through Web-based advertisements or infected Web sites.

“High-quality scam operations are adopted by serious attackers in order to carry out massive rather than minor targeted attacks, spreading unsophisticated malware,” the firm’s security analysis team pointed out in its latest half-yearly Global Threat Intelligence Trends Report.

Enterprises faced growing risk from increasing use of lateral infection techniques that proved to be seriously problematic in the case of last year’s WannaCry, NotPetya and BadRabbit malware – and were tweaked in IoT botnets such as IoTroop and Satori.

Read more: Social Engineering is the new norm in hacking

“A great advantage of infection via lateral movement is the ability of this technique to influence an entire organisation, via a single entry point,” the report noted. “In this way, unpatched or unprotected systems can be taken down in no time, leaving an entire organisation paralysed.”

A number of malware families were dominating the infection landscape on corporate networks, with Check Point statistics suggesting that the CoinHive cryptominer was the second most-common malware – infecting 8.3 percent of corporate networks, just ahead of Locky ransomware’s 7.9 percent but well behind Roughted, a malvertising platform that was identified on 15.3 percent of corporate networks.

Roughted was even more prevalent – on 16.8 percent of networks – but Coinhive was slightly less prevalent (6.7 percent), well behind Andromeda (15.9 percent of computers), Locky (10.7 percent), and others.

The rapid growth of CoinHive, which taps victims’ computing resources to mine Monero cryptocurrency, is likely due to many sites integrating CoinHive JavaScript as a replacement for online advertisements in a move that, Check Point noted, may be seen by operators as a misplaced effort to improve the user experience.

“Its classification as malware is subjective,” the report notes, “as while most websites use it without their users’ knowledge or consent, some might use it with full agreement by their users.”

Regardless of their methods, the new figures confirm that cryptocurrency mining is an exploding focus for cybercriminals – and that IT decision makers and employees need to work together to rein in its growth.

Warning that citizens need to treat their cryptocurrencies with the care they would give to real negotiable instruments, Carbon Black security strategist Rick McElroy advised users to make sure they have a ‘cold wallet’ backup of their money.

“When it comes to crypto currencies,” he said in a statement, “trust no one. Leaving your crypto currency in a hot wallet is a great way to lose all of it. You should ensure you have a cold wallet (in a simple sense, you could do this with a USB stick) with at least one backup. This is your money. Get a safe to put the cold wallet in. The power is in the hands of you as the consumer to take the necessary steps to protect your currencies."

Tags crypto-currency miningWannaCryNotPetya

Show Comments