Embed Size (px)
Citation preview
AN IT MANAGER’S GUIDE:
C R Y P T O J A C K I N G , T H E T H R E AT
T O B U S I N E S S A N D H O W T O P R O T E C T
T H E N E T W O R KWhy awareness, security best practice and the latest
hardware are key to keeping the jackers at bay
PA G E 2 / 7
HP DaaS guide
What is cryptojacking?Cryptojacking is a form of cyberattack in which a hacker hijacks a target’s processing power in order to mine cryptocurrency. Anyone who mines successfully receives cryptocurrency as a reward. The current reward is 12.5 bitcoins, which has an approximate value of $100,000 and can be used to buy flights and hotels through Expedia and games and apps through Microsoft, download music and even buy gold.
Not everyone who tries to mine cryptocurrency will actually get this reward, however, because not everyone can successfully mine bitcoin. Mining is essentially verifying bitcoin transactions, such as a bitcoin trade or where someone has used bitcoin to purchase a product or service. Every transaction needs verifying and writing to the blockchain. How this is achieved is complex but in simple terms, it’s a guessing game.
Mining software ‘reads’ the transaction on the network and then guesses the number required to write it to the block. A multitude of cryptominers will be trying to achieve this at the same time. The more computing power, memory and storage you have the more likely you are to succeed. This need for computing power can be expensive but by infecting popular web sites and computers, hackers can essentially bypass this problem and mine cryptocurrency for free. The effects of this can range from minor nuisances, such as a slower internet browsing experience to grinding networks to a halt.
hile Bitcoin took a bit of a beating in August 2018, it did little to dampen interest in the obviously volatile cryptocurrency market. Bitcoin lost 20 percent of its value in just two weeks in August, according to some reports,1 and yet there appears to be
substantial optimism in the currency. According to one report, there were 96 new crypto hedge funds launched in the first seven months of 20182 and when the Turkish Lira plummeted 20 percent in August 2018, there was a surge in Bitcoin trading.3 Cryptocurrency is clearly here to stay and while that may whet the appetite of brave investors, it’s also a magnet for crime.
Unsurprisingly perhaps, hackers are targeting cryptocurrency exchanges4 but what many businesses and individuals may not realize is that there is serious money to be made in actually performing admin functions for the currencies themselves. Called cryptomining, it can be big business. Some reports have suggested that profits from mining have hit over $4 billion between 2017 and 2018.5 It is an industry in itself that has spawned a range of applications6 dedicated to the process.
W
PA G E 3 / 7
HP DaaS guide
Essentially this means pretty much anyone can do it and get rewarded with cryptocurrency for their efforts. For serious money making, it’s a volume game but that would demand considerable resources too. You need computing power and that comes at a cost and then there is the electricity. If you are running servers 24/7 those bills are going to be big.
“Computing power is expensive and also uses a lot of electricity which in turn ends up costing a miner a chunk of their profits, so how can an attacker make money and not have to pay any fees?” asked Alex Archondakis, a member of the BCS Internet Specialist Group.7 “The answer is cryptojacking, which involves embedding malware into popular sites that get thousands of visitors per day. The infected computers of those browsing the sites will silently mine cryptocurrencies without the user’s knowledge and deposit the earnings into the attacker controlled, anonymous wallet. No costs for hardware, no costs for electricity and the malware can often go undetected for long periods of time.”
In April 2018 the UK’s National Cyber Security Centre reported that cryptojacking is one of the biggest cyber threats facing businesses today.8 Just a few weeks earlier, the UK’s Information Commissioners’ Office (ICO), Manchester City Council, the US Government Courts website and some UK NHS sites were all hit with a compromised version of the Texthelp plugin Browsealoud. Reports revealed that the plugin was actually injecting Coinhive’s cryptominer onto the sites, using JavaScript code to steal computing power for creating the cryptocurrency Monero.9
It’s far from an isolated incident. In May 2018, a study by The Conversation in the US found 212 websites involved in cryptojacking.10 Ads it seems are the most common point of entry. According to Trend Micro, the company saw a 108 percent increase in unique web miner detections from March 24 to 25 (2018) – “a significant jump that showed the effectiveness of the compromised advertising platform,” it said.11
And the boom shows no signs of slowing down. Cryptomining malware soured by 4000% in 2018, McAfee found,12 while Symantec reported to have blocked almost 5 million coin mining events in July 2018 alone.13
It’s not just websites that are being hacked either. There are instances of more intrusive mining. “Cryptojacking is a rising threat to cyber and personal security,” said Mike Fey, president and COO, Symantec in a statement14 in March 2018. “The massive profit incentive puts people, devices and organizations at risk of unauthorized coin miners siphoning resources from their systems, further motivating criminals to infiltrate everything from home PCs to giant data centers.”
Fey was alluding to the growing trend of hijacking cloud-based networks in particular and he has a point. In February 2018, hackers used Tesla’s public cloud network to mine cryptocurrency15 and in March 2018, GitHub was used to host cryptocurrency mining malware.16 In fact, 25 percent of organizations have experienced cryptojacking activity within their cloud environments in 2018, according to a recent RedLock report.17
4,000%increase in cryptomining
malware in 201812
25%of organizations have experienced cryptojacking activity within their
cloud environments in 201817
PA G E 4 / 7
HP DaaS guide
What is the risk to business? There are some fundamental risks to cryptojacking. Think of it in the same terms as botnets. For one, it forces victims to waste energy. Digiconomist reports that the electricity consumed for a single bitcoin transaction could power 15 US households for a day.18 If you multiply this by the number of machines in a business or a data center, you can start to get an idea of how much energy is being used and how much this could cost a business in electricity alone. In fact, according to research at PwC, bitcoin miners consumed as much energy in 2018 as Hungary.19
There is also the additional issue of network performance impairment. Cryptojacking is basically stealing your processing power, leading to spikes in load. Inevitably, this means that everything else on the network will run slowly or not at all. For most businesses, this is a disastrous scenario.
As Mursch pointed out in his blog, “cybercriminals look to enslave as many devices as possible to maximize their profits. This is why you need operational awareness on how your resources are being consumed.”20
According to Fabian Libeau, EMEA VP at RiskIQ, “it’s the soft underbelly, the forgotten assets that attackers are looking for,” he said in a report in July 2018. “We found a global bank with two or three [obscure] servers in the Netherlands that nobody really looked into, but they were mining in the background.”21
This indicates that cryptojacking is in fact highlighting site and network vulnerabilities to other attacks. Libeau went onto say that it’s a privacy issue but also shows a lack of visibility of business networks and resources.
“There’s a whole bunch of stuff that people internally never see because it’s not sitting on the site, it’s called dynamically from third-party servers,” he said. “The world looks like a different place when we take the attacker’s point of view and look in from the outside.”
“ Cybercriminals look to enslave as many devices as possible to maximize their profits”
Troy Mursch Security researcher20
$4bnin profits from mining
between 2017 and 20185
PA G E 5 / 7
HP DaaS guide
What can companies do about it?Awareness of the issue is essential. As with most security threats, an understanding of how it operates will help determine next steps. Here we have outlined seven key actions to help prevent cryptojackers taking over your network.
Implement the basics – keep software up to date with the latest operating system and hardware patches. Keep security applications up to date and measure usage across the organization. It’s about prevention as much as detection.
Make training a priority – add cryptojacking to security awareness training and policies – this should help with ensuring any bring your own device (BYOD) policies do not lead to intentional or inadvertent ‘infection’ of the company network resources. Awareness is everything.
Use an adblocker – the NCSC recommends using an adblocker, or anti-virus program with the capacity to block browser mining.22 Adblockers offer the most accessible and cost-effective solutions to businesses. Users of ad blockers can also employ features to block cryptomining scripts that reside on certain websites (and aren’t embedded in ads)
Block destructive domains – insider threats are a potential problem, particularly given the ability to make money. Security researcher Troy Mursch recommends “blocking known domains and IP addresses tied to illicit cryptomining. A frequently updated list of these domains is available via the open source CoinBlockerLists.”23
Manage your devices – ensure the business has the latest devices with up-to-date software and state-of-the-art device-level protection. This can include hardware-enforced self-healing, fingerprint readers, features that only allow the viewer to read the screen and fully containerized browsing. Asset management is essential to keep track of the complete hardware inventory.
Assess third-party code – “Make a risk-based decision on including third-party JavaScript in your site,” says the NCSC.22 This will vary depending on the size of the website you manage and who is supplying the code. Consider whether the code you are including could compromise your users, and balance this against the risk of this happening for your site.
Host JavaScript locally - the NCSC also says if it’s practical to do so, consider hosting the JavaScript locally on your own server rather than linking to code hosted elsewhere. This means changes to the libraries require access to your server, although this will mean you will need to install security patches yourself.
PA G E 6 / 7
HP DaaS guide
For most people, just browsing away from infected websites may be enough to stop the cryptojacking process but IT managers need to be aware of all the possibilities. We are still at the start of the curve on this, and as the reports have all suggested, cryptojacking is a growing problem.
Staying one step ahead will always be a better policy than reacting to infection. Proactive measures across all security threats are increasingly essential and cryptojacking is no different. This is not going to go away either. As long as there are significant rewards for mining cryptocurrency, the hackers will find clever ways to get around the security measures. If IT managers and users recognize the tell-tale signs, at least the problem is less likely to go undetected.
As more business networks shift towards the cloud, cryptojacking could become an even greater threat to network and device stability. It’s essential that IT managers act now to put measures in place to secure devices and educate organizations of the growing threat.
As Stan Gibson, technical writer at security firm Symantec pointed out in a blog, cryptojacking is here to stay. “Annoyance or Crime? It’s both but either way, don’t expect the phenomenon to disappear quietly into the night.”24
“ IT managers need to use intell igent technology to help proact ively defend devices and networks against cryptojacking. The threat, after all wi ll not stand st i l l . On-going analyt ics and expert ise is required to stay one step ahead of the threat or to stamp it out quickly should i t somehow sneak through.”
Michael Calce CEO, Optimal Secure, aka “Mafiaboy”
Managing your devices can help deter jackersHP Device as a Service (DaaS) delivers a modern service model that simplifies how organizations source, support, and manage IT with insightful analytics and reports from HP TechPulse. With DaaS, HP partners with customers to increase user productivity, operational efficiency, and cost predictability.
The model is transformative in nature, enabling increased and centralized security that’s much easier to keep up to date. As regulations change or threats increase, devices can be easily kept current with patch management, to meet requirements.
While helping to manage volatility and fast-changing business needs, HP Proactive Security Service enhances secure management capabilities with real-time malware protection through isolation technology, security and threat analytics and specialized expertise. With support from Service Experts, security positions are strengthened, and attacks are anticipated – preventing a negative impact on business.* **
Plus, HP Service Experts can enforce security policies for your Windows, Android or Apple devices. With HP TechPulse, Service Experts can implement these policies and help protect data if devices are lost or stolen, as well as getting a holistic view of device protection status and detailed findings on attempted and blocked attacks. For further device protection, consider HP Elite products, the world’s most secure and manageable PCs.***
It’s about being proactive to identify and mitigate issues, optimizing and securing your multi-OS devices before they are subjected to threats.
PA G E 7 / 7
HP DaaS guide
*System requirements for HP DaaS Proactive Security are: multi-vendor client devices running Windows 10 1703 or later with a minimum of 8 GB memory and 6 GB of free hard disk space to install the software client. HP DaaS Proactive Security requires HP TechPulse, which is included in any HP DaaS or HP DaaS Proactive Management plan. The HP DaaS Proactive Security Enhanced plan requires customers to be enrolled in an Enhanced or Premium HP DaaS or HP DaaS Proactive Management plan.**HP Sure Click Advanced technology is included with HP DaaS Proactive Security and requires Windows 10. Microsoft Internet Explorer, Google Chrome™, and Chromium™ are support-ed. Supported attachments include Microsoft Office (Word, Excel, PowerPoint) and PDF files, when Microsoft Office or Adobe® Acrobat are installed.***Based on HP’s unique and comprehensive security capabilities at no additional cost and HP Manageability Integration Kit’s management of every aspect of a PC including hardware, BIOS and software management using Microsoft System Center Configuration Manager among vendors with >1M unit annual sales as of November 2016 on HP Elite PCs with 7th Gen and higher Intel® Core® Processors, Intel® integrated graphics, and Intel® WLAN, and on HP Workstations with 7th Gen and higher Intel® Core™ Processors as of January 2017.
Sources
1 Business Insider, August 2018: The crypto market has lost 20% of its value in 2 weeks and bitcoin is still dropping2 CryptoBriefing,August2018:‘Massive’ Growth In Crypto Funds Shows Long-Term Optimism3 Forbes, August 2018: Bitcoin Investors Eye Turkey As Lira Plummets 20%4 Financial Times, July 2018: Hackers target new cryptocurrency investors 5 Coin Telegraph, June 2018: Top Five Biggest Crypto Mining Areas: Which Farms Are Pushing Forward the New Gold Rush?6 Tech Radar, July 2018: The best mining software in 2018 7 British Computer Society, March 2018: What is CryptoJacking?8 UK National Cyber Security Centre, April 2018: The cyber threat to UK business 2017-2018 report9 The Register, February 2018: UK ICO, USCourts.gov... Thousands of websites hijacked by hidden crypto-mining code after popular plugin pwned10 ScientificAmerican,May2018:Cryptojacking Spreads across the Web11 Trend Micro, April 2018: Cryptocurrency Web Miner Script Injected into AOL Advertising Platform12 McAfee, December 2018: McAfee Labs Threats Report13 Symantec, Septermber 2018: Cryptojacking: A Modern Cash Cow 14 Symantec, March 2018: Cryptojacking Skyrockets to the Top of the Attacker Toolkit, Signaling Massive Threat to Cyber and Personal Security15 Wired, February 2018: hack brief: hackers enlisted tesla’s public cloud to mine cryptocurrency16 Avast blog, March 2018: Greedy cybercriminals host malware on GitHub 17 RedLock, May 2018: Cloud Security Trends - Anniversary Edition - May 201818 Digiconomist, May 2019: Bitcoin Energy Consumption Index19 News BTC, March 2019: Bitcoin’s Energy Consumption Equalled That of Hungary in 201820 Paessler blog, March 2018: How Cryptojacking Impacts You, and What You Can Do About It21 Computing, July 2018: Cryptojacking: cyber-scourge or legitimate business model for the ad-block age?22 UK National Cyber Security Centre, February 2018: NCSC advice: Malicious software used to illegally mine cryptocurrency23 Github, March 2018: Coin blocker lists24 Symantec, July 2018: Cryptojacking: It’s Here, Get Used to It
HP DaaS plans and/or included components may vary by region or by Authorized HP DaaS Service Partner. Please contact your local HP Representative or Authorized DaaS Partner for specific details in your location. HP services are governed by the applicable HP terms and conditions of service provided or indicated to Customer at the time of purchase. Customer may have additional statutory rights according to applicable local laws, and such rights are not in any way affected by the HP terms and conditions of service or the HP Limited Warranty provided with your HP Product. HP Services are governed by the applicable HP terms and conditions of service provided or indicated to the Customer at the time of purchase. The Customer may have additional statutory rights according to applicable local laws, and such rights are not in any way affected by the HP terms and conditions of service or the HP Limited Warranty provided with an HP product. © Copyright 2018 HP Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Bluetooth is a trademark owned by its proprietor and used by Hewlett Packard Enterprise under license.
4AA7-3873ENW, June 2019
