According to ESET, attackers were able to infect strangers’ computers with cryptocurrency mining malware by exploiting a known vulnerability code-named “CVE-2017-7269” in Windows Server 2003 – a server operating system released by Microsoft in 2003.
This particular cryptocurrency mining malware was seen in the wild on May 26, 2017. “Since then, it has been appearing in waves, on a weekly or less frequent basis, which implies that the attacker scans the internet for vulnerable machines,” ESET said.
The attackers were able to earn such significant amount in just 3 months by creating a botnet – a network of several hundred of unpatched computers infected with the crypto mining malware and remotely controlled by cyber criminals to mine the cryptocurrency Monero.
Microsoft ended its regular update support for Windows Server 2003 in July 2015. Since May 12 of this year, to prevent another cyber attack – the scale of WannaCry ransomware, the company has since released security updates for Windows Server 2003. On June 13, 2017, Microsoft issued a patch or security update to fix the CVE-2017-7269 vulnerability.
What is Cryptocurrency Mining?
Cyber criminals have turned to Monero as this cryptocurrency markets itself as an anonymous and untraceable cryptocurrency. Aside from anonymity, cyber criminals turned to Monero as this cryptocurrency can be mined using ordinary CPUs, unlike Bitcoin which requires a specialized hardware.
“Cryptocurrencies are created (and secured) through cryptographic algorithms that are maintained and confirmed in a process called mining, where a network of computers or specialized hardware such as application-specific integrated circuits (ASICs) process and validate the transactions,” Trend Micro describes cryptocurrency mining. “The process incentivizes the miners who run the network with the cryptocurrency.”
The actual process of cryptocurrency mining is legal. One just needs to use one’s own computer. One can use another computer to mine cryptocurrency, provided that the computer owner consents that his or her computer will be used for mining cryptocurrency.
Illicit Cryptocurrency Mining
According to Kaspersky Lab, in 2013, its products were able to deter 205,000 cryptocurrency mining malware infections; 701,000 infections in 2014; and in the first eight months of 2017, a total of 1.65 million infections.
According to IBM, unauthorized embedding of cryptocurrency mining tools grew sixfold in the eight-month period between January and August 2017.
In 2014, Harvard’s supercomputer cluster called “Odyssey” was used to illegally mine Dogecoins, another digital currency. Also, in 2014, the National Science Foundation (NSF), a US government-backed organization, revealed that NSF-funded computers were used to illegally mine Bitcoins. In February of this year, one of the US Federal Reserve’s servers was used to illegally mine Bitcoins.
Crypto mining malware is propagated or spread by exploiting the vulnerabilities of unpatched Microsoft operating system, as reported by ESET. Kaspersky Lab, for its part, observed the spread of this malware via adware installers that are spread using social engineering. Other attack methods include:
- Command injection (including SQL injection)
- Brute-force and default password logins/attacks
- Cross-site scripting
- Command buffer overflow exploits
- Hypertext preprocessor (PHP) arbitrary code injection
“Virtually any attack vector that involves injecting executable code could turn a targeted system into a virtual coin miner for the attacker,” IBM said.
In 2014, advertisements on Yahoo’s homepage were infected with malware aimed at mining Bitcoins.
The following are this year’s notable cryptocurrency mining malware, in addition to the one reported by ESET:
This malware exploited EternalBlue, the same security flaw that WannaCry ransomware exploited.
This malware exploited the security flaw in the interoperability software suite Samba.
This malware, a Linux Trojan, targets Raspberry Pi devices.
All these malware infected devices and machines and turned them into Monero-mining botnets. Aside from Monero, another cryptocurrency Zcash is also being used by cyber criminals in concealed crypto mining for its anonymity promise.
Dangers of Crypto Mining Malware
Crypto mining malware’s ill-effects go beyond the performance and power cost. It could also trigger web and network-based attacks.
“These malware can threaten the availability, integrity, and security of a network or system, which can potentially result in disruptions to an enterprise’s mission-critical operations,” Trend Micro said. “Information theft and system hijacking are also daunting repercussions. These attacks can also be the conduit from which additional malware are delivered.”
How to Prevent Cryptocurrency Mining Malware Intrusion
Here are some of the ways to prevent cryptocurrency mining malware intrusion:
1. Keep all software up-to-date
Timely apply patches or security updates. A timely security update, for instance, of Windows Server 2003 could have prevented the cryptocurrency mining malware as reported by ESET.
2. Change default login and password
Over the first three quarters of 2016, Trend Micro reported, that it detected a Bitcoin-mining zombie army from home routers and IP cameras. These IoT devices were compromised for the simple reason that owners didn’t change the default login and password.
3. Enable the firewall of IoT devices (home routers, IP cameras)
4. Take precaution against unsolicited emails, links, attachments or files from websites, questionable third-party software or applications
5. Build a cyber security-conscious staff through education and role-based training