Darktrace Blog

Perspectives on cyber defense

Cryptocurrencies and the future of cyber defense

Max Heinemeyer, Director of Threat Hunting | Tuesday February 13, 2018

Prelude

The last 12 months have shown tremendous volatility in the value of cryptocurrencies, of which Bitcoin is the most prominent example. At the start of 2017, Bitcoin lingered around the $2,000 mark before suddenly taking off, climbing to historic highs of close to $20,000 in December 2017. Demand has since subsided, and at the time of writing, the price of Bitcoin is near to $10,772.

While Bitcoin is the most popular cryptocurrency, numerous alternatives, often called ‘altcoins’ have emerged and grown in value in the last 12 months. For example, Dogecoin, originally created to be a spoof cryptocurrency after a widespread internet meme, reached a notable market capitalization milestone of $2bn in January 2018 .

Nowadays it is almost impossible to profitably mine Bitcoin on commodity hardware such as laptops, smartphones or desktop computers. At this late state, it just takes too long to perform the relevant calculations, and the cost of electricity is higher than the anticipated revenue in most cases. Other altcoins such as Monero use different algorithms, making them viable alternatives for aspiring crypto miners. It is often still feasible to mine altcoins on commodity hardware and see a return on investment.

The value of most altcoins is closely tied to the value of Bitcoin and, in many cases, the relationship is broadly proportional – a rise in Bitcoin prompting a similar lift in the altcoins. Monero, which has been rapidly adopted by Darknet markets , has profited from this effect. While Monero was valued at around $10 in January 2017, its price has been pumped up to $419 a year later.

There is much that is still not clear about the cryptocurrency phenomenon. Debate as to its relative value and its status as a currency rages, and will not be resolved any time soon. However, from a cyber security perspective there can be no doubt that the combination of altcoins being mineable on commodity hardware, the fact that mining is now becoming profitable as a side-effect of Bitcoin’s rise, and a maturity in cryptocurrency-related tech has led to a surge in cryptocurrency-related attacks.

Attack vectors

Darktrace has observed an abrupt increase of cryptocurrency-related attacks over the last 12 months. Both the frequency and the diversity of these attacks has grown significantly and largely mirrors the remarkable rise in the value of Bitcoin over that period.

Previously, cyber-criminals monetized their operations via banking Trojans/credit card fraud, selling stolen data and ransomware on the Darknet. However, criminals are notoriously adaptable and will follow the money wherever it leads, leading to an increase in cryptojacking’s popularity.

Cryptocurrency mining might not be as profitable as ransomware is upfront, but it can be secretly pursued for months without creating the havoc that characterizes ransomware attacks. Most users and security products might not notice a cryptocurrency miner being installed on a corporate device as it does not show obvious threats or messages to a user, except for an occasional increase in CPU or RAM usage.

Identifying these attacks can be very difficult for traditional security tools as they were not originally designed to catch this type of threat. Nor was Darktrace, but its approach – which relies on its evolving understanding of patterns of behavior – means that it can detect such attacks without having to know what to look for in advance.

Darktrace has detected a number of different attack vectors related to cryptocurrency attacks.

  1. Nefarious use of corporate resources
    Darktrace has detected a range of incidents where employees were intentionally installing cryptocurrency mining software on their corporate devices to mine for personal gain. These employees do not have to pay for the electricity used to run the corporate device in the office – they are basically turning their employer’s electricity into cash by commandeering it for mining operations.

    This is commonly seen as a compliance breach and increases the attack surface of a device that has mining software installed. It puts the corporate device at risk and also increases operational costs as the power consumption usually goes up for mining devices. The most popular cryptocurrency choices for this kind of mining in the last 12 months were Etherium and Monero – altcoins that can profitably be mined without the need for inordinate electricity.
  2. Coinhive drive-by mining
    Coinhive is a technology that allows website owners to use their visitors’ computing power to mine a tiny fraction of cryptocurrency for the website owner. Visitors will experience a small increase in computer resource consumption while browsing the website. Some websites experiment with this model to create new forms of revenue streams alternative to advertisement and banner placements.

    Coinhive usage is often not an opt-in process. Darktrace has observed various customer devices that regularly visit websites leveraging Coinhive technology. While the power consumption increase for a device browsing a website with Coinhive is ultimately negligible, the cumulative effect of a sizeable portion of the workforce unwittingly browsing websites using Coinhive results in increased power consumption cost for the organization as a whole.
  3. Malicious insider
    A malicious insider compromised his employer’s website to put a Coinhive script on there. This then mined Monero for every visitor on the employer’s website for the malicious insider’s personal gain.
  4. Traditional malware
    Cyber criminals are constantly looking to improve the return on investment of their operations. Reports suggest that criminals are starting to adjust their monetization methods based on the financial means of their targets. Suppose you can’t pay the fee extorted in a ransomware attack? They’ll just install a crypto miner on your device instead to ensure that the attack is not completely fruitless.

    As malware authors become more sophisticated, they often deploy multi-staged malware that can swap weaponized payloads. Once malware has infected a system successfully, its authors can often decide what actions to take next. Encrypt the device and extort a ransom? Install a banking Trojan to harvest credit card details? Install more spyware modules to look for data exfiltration? Or, now, install a cryptocurrency miner.

    These pieces of malware operate stealthily and often go undetected for several weeks. An infection might start with a phishing email that contains a macro-enabled document. As soon as a user enabled the macro, the malware will download a file-less stager that lives in memory and cannot be detected by traditional antivirus. Command and control communication is usually maintained via IP addresses that change on a daily basis in order to outrun threat intelligence and blacklisting attempts. As no obvious damage is done straight away, these attacks often stay under the radar for prolonged times, so long as self-learning technology such as Darktrace is not employed.

    This becomes much more concerning as malware authors could swap one payload for another overnight if they deem it more profitable, switching from a furtive crypto mining Trojan to ransomware the next day. While we have not observed this kind of attack in the wild yet, it is plausible, and in cyberspace what can be done, will be done.

Conclusions

Revolutionary technologies like cryptocurrencies have both their dark and light aspects. For all of the creative energy released by the crypto-blockchain revolution, Bitcoin and its alternatives have quickly become the universal currency of the criminal underworld. Indeed, the former Chief Economist of the World Bank, Joseph Stiglitz – an adamant critic of cryptocurrencies – has said that the whole value of Bitcoin resides in its “potential for circumvention” and “lack of oversight”.

While Stiglitz’s case may be overstated, there can be no question that cyber criminals have sensed a new opportunity to make money. A lot of organizations still regard crypto mining as a compliance incident. This can lead to grave consequences as a cryptocurrency mining device might lead to more severe incidents that can have a serious effect on business operations.

This kind of threat is difficult to detect as no obvious damage is done. However, with Darktrace’s machine learning we can correlate even the weakest indicators of such an attack into a compelling picture of threat. While traditional tools may struggle to see these deviations, Darktrace can pinpoint the changes in behavior effected by cryptocurrency miners without having to rely on any blacklists or signatures.

Blog Archive

Monday July 16, 2018
Friday June 22, 2018
Wednesday May 9, 2018
Monday April 16, 2018
Wednesday March 7, 2018
Tuesday February 13, 2018
Friday February 2, 2018
Monday January 22, 2018
Friday December 8, 2017
Monday November 27, 2017
Monday October 30, 2017
Wednesday October 25, 2017
Thursday October 12, 2017
Monday October 2, 2017
Monday September 18, 2017
Monday July 31, 2017
Thursday June 29, 2017
Wednesday June 21, 2017
Wednesday May 17, 2017
Monday May 8, 2017
Wednesday April 5, 2017
Monday March 6, 2017
Monday February 13, 2017
Monday January 30, 2017
Monday January 9, 2017
Friday December 16, 2016
Monday December 5, 2016
Friday November 18, 2016
Friday November 4, 2016
Monday October 24, 2016

About the authors

Justin Fier

Justin Fier is the Director for Cyber Intelligence & Analytics at Darktrace, based in Washington D.C. Justin is one of the US’s leading cyber intelligence experts, and his insights have been widely reported in leading media outlets, including Wall Street Journal, CNN, the Washington Post, and VICELAND. With over 10 years of experience in cyber defense, Justin has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems and Abraxas. Justin is also a highly-skilled technical specialist, and works with Darktrace’s strategic global customers on threat analysis, defensive cyber operations, protecting IoT, and machine learning.

Dave Palmer

Dave Palmer is the Director of Technology at Darktrace, overseeing the mathematics and engineering teams and project strategies. With over ten years of experience at the forefront of government intelligence operations, Palmer has worked across UK intelligence agencies GCHQ & MI5, where he delivered mission-critical infrastructure services, including the replacement and security of entire global networks, the development of operational internet capabilities and the management of critical disaster recovery incidents. He holds a first-class degree in Computer Science and Software Engineering from the University of Birmingham.

Andrew Tsonchev

Andrew oversees Darktrace’s OT security offerings, providing cyber defense solutions for industrial environments. Andrew has worked extensively across all aspects of Darktrace's technical and commercial operations, and advises Darktrace’s strategic Fortune 500 customers on advanced threat detection, machine learning and autonomous response. Andrew has a technical background in threat analysis and research, and holds a first-class degree in physics from Oxford University and a first-class degree in philosophy from King’s College London.

Max Heinemeyer

Max is a cyber security expert with over eight years’ experience in the field specializing in network monitoring and offensive security. At Darktrace, Max works with strategic customers to help them investigate and respond to threats as well as overseeing the cyber security analyst team in the Cambridge UK headquarters. Prior to his current role, Max led the Threat and Vulnerability Management department for Hewlett-Packard in Central Europe. He was a member of the German Chaos Computer Club, working as a white hat hacker in penetration testing and red teaming engagements. Max holds a MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.

EnglishFrançais日本語