Cryptocurrencies and the future of cyber defense

Max Heinemeyer, Director of Threat Hunting | Tuesday February 13, 2018

Prelude

The last 12 months have shown tremendous volatility in the value of cryptocurrencies, of which Bitcoin is the most prominent example. At the start of 2017, Bitcoin lingered around the $2,000 mark before suddenly taking off, climbing to historic highs of close to $20,000 in December 2017. Demand has since subsided, and at the time of writing, the price of Bitcoin is near to $10,772.

While Bitcoin is the most popular cryptocurrency, numerous alternatives, often called ‘altcoins’ have emerged and grown in value in the last 12 months. For example, Dogecoin, originally created to be a spoof cryptocurrency after a widespread internet meme, reached a notable market capitalization milestone of $2bn in January 2018.

Nowadays it is almost impossible to profitably mine Bitcoin on commodity hardware such as laptops, smartphones or desktop computers. At this late state, it just takes too long to perform the relevant calculations, and the cost of electricity is higher than the anticipated revenue in most cases. Other altcoins such as Monero use different algorithms, making them viable alternatives for aspiring crypto miners. It is often still feasible to mine altcoins on commodity hardware and see a return on investment.

The value of most altcoins is closely tied to the value of Bitcoin and, in many cases, the relationship is broadly proportional – a rise in Bitcoin prompting a similar lift in the altcoins. Monero, which has been rapidly adopted by Darknet markets, has profited from this effect. While Monero was valued at around $10 in January 2017, its price has been pumped up to $419 a year later.

There is much that is still not clear about the cryptocurrency phenomenon. Debate as to its relative value and its status as a currency rages, and will not be resolved any time soon. However, from a cyber security perspective there can be no doubt that the combination of altcoins being mineable on commodity hardware, the fact that mining is now becoming profitable as a side-effect of Bitcoin’s rise, and a maturity in cryptocurrency-related tech has led to a surge in cryptocurrency-related attacks.

Attack vectors

Darktrace has observed an abrupt increase of cryptocurrency-related attacks over the last 12 months. Both the frequency and the diversity of these attacks has grown significantly and largely mirrors the remarkable rise in the value of Bitcoin over that period.

Previously, cyber-criminals monetized their operations via banking Trojans/credit card fraud, selling stolen data and ransomware on the Darknet. However, criminals are notoriously adaptable and will follow the money wherever it leads, leading to an increase in cryptojacking’s popularity.

Cryptocurrency mining might not be as profitable as ransomware is upfront, but it can be secretly pursued for months without creating the havoc that characterizes ransomware attacks. Most users and security products might not notice a cryptocurrency miner being installed on a corporate device as it does not show obvious threats or messages to a user, except for an occasional increase in CPU or RAM usage.

Identifying these attacks can be very difficult for traditional security tools as they were not originally designed to catch this type of threat. Nor was Darktrace, but its approach – which relies on its evolving understanding of patterns of behavior – means that it can detect such attacks without having to know what to look for in advance.

Darktrace has detected a number of different attack vectors related to cryptocurrency attacks.

  1. Nefarious use of corporate resources
    Darktrace has detected a range of incidents where employees were intentionally installing cryptocurrency mining software on their corporate devices to mine for personal gain. These employees do not have to pay for the electricity used to run the corporate device in the office – they are basically turning their employer’s electricity into cash by commandeering it for mining operations.

    This is commonly seen as a compliance breach and increases the attack surface of a device that has mining software installed. It puts the corporate device at risk and also increases operational costs as the power consumption usually goes up for mining devices. The most popular cryptocurrency choices for this kind of mining in the last 12 months were Etherium and Monero – altcoins that can profitably be mined without the need for inordinate electricity.
  2. Coinhive drive-by mining
    Coinhive is a technology that allows website owners to use their visitors’ computing power to mine a tiny fraction of cryptocurrency for the website owner. Visitors will experience a small increase in computer resource consumption while browsing the website. Some websites experiment with this model to create new forms of revenue streams alternative to advertisement and banner placements.

    Coinhive usage is often not an opt-in process. Darktrace has observed various customer devices that regularly visit websites leveraging Coinhive technology. While the power consumption increase for a device browsing a website with Coinhive is ultimately negligible, the cumulative effect of a sizeable portion of the workforce unwittingly browsing websites using Coinhive results in increased power consumption cost for the organization as a whole.
  3. Malicious insider
    A malicious insider compromised his employer’s website to put a Coinhive script on there. This then mined Monero for every visitor on the employer’s website for the malicious insider’s personal gain.
  4. Traditional malware
    Cyber criminals are constantly looking to improve the return on investment of their operations. Reports suggest that criminals are starting to adjust their monetization methods based on the financial means of their targets. Suppose you can’t pay the fee extorted in a ransomware attack? They’ll just install a crypto miner on your device instead to ensure that the attack is not completely fruitless.

    As malware authors become more sophisticated, they often deploy multi-staged malware that can swap weaponized payloads. Once malware has infected a system successfully, its authors can often decide what actions to take next. Encrypt the device and extort a ransom? Install a banking Trojan to harvest credit card details? Install more spyware modules to look for data exfiltration? Or, now, install a cryptocurrency miner.

    These pieces of malware operate stealthily and often go undetected for several weeks. An infection might start with a phishing email that contains a macro-enabled document. As soon as a user enabled the macro, the malware will download a file-less stager that lives in memory and cannot be detected by traditional antivirus. Command and control communication is usually maintained via IP addresses that change on a daily basis in order to outrun threat intelligence and blacklisting attempts. As no obvious damage is done straight away, these attacks often stay under the radar for prolonged times, so long as self-learning technology such as Darktrace is not employed.

    This becomes much more concerning as malware authors could swap one payload for another overnight if they deem it more profitable, switching from a furtive crypto mining Trojan to ransomware the next day. While we have not observed this kind of attack in the wild yet, it is plausible, and in cyberspace what can be done, will be done.

Conclusions

Revolutionary technologies like cryptocurrencies have both their dark and light aspects. For all of the creative energy released by the crypto-blockchain revolution, Bitcoin and its alternatives have quickly become the universal currency of the criminal underworld. Indeed, the former Chief Economist of the World Bank, Joseph Stiglitz – an adamant critic of cryptocurrencies – has said that the whole value of Bitcoin resides in its “potential for circumvention” and “lack of oversight”.

While Stiglitz’s case may be overstated, there can be no question that cyber criminals have sensed a new opportunity to make money. A lot of organizations still regard crypto mining as a compliance incident. This can lead to grave consequences as a cryptocurrency mining device might lead to more severe incidents that can have a serious effect on business operations.

This kind of threat is difficult to detect as no obvious damage is done. However, with Darktrace’s machine learning we can correlate even the weakest indicators of such an attack into a compelling picture of threat. While traditional tools may struggle to see these deviations, Darktrace can pinpoint the changes in behavior effected by cryptocurrency miners without having to rely on any blacklists or signatures.

Max Heinemeyer

Max is a cyber security expert with over nine years’ experience in the field, specializing in network monitoring and offensive security. At Darktrace, Max works with strategic customers to help them investigate and respond to threats, as well as overseeing the cyber security analyst team in the Cambridge UK headquarters. Prior to his current role, Max led the Threat and Vulnerability Management department for Hewlett-Packard in Central Europe. In this role he worked as a white hat hacker, leading penetration tests and red team engagements. He was also part of the German Chaos Computer Club when he was still living in Germany. Max holds a MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.

Machine vs machine: instant domain fluxing identification with Darktrace

Max Heinemeyer, Director of Threat Hunting | Friday February 2, 2018

The algorithms made famous by Conficker almost a decade ago are continuing to frustrate the security community.

A function of some advanced malware, Domain Generating Algorithms (DGA) rapidly generate new domains as a means of evading security personnel. This process is known as ‘domain fluxing’ and provides an alternative means of communication with the attacker’s command-and-control servers. They are very difficult to detect using a traditional security approach.

Darktrace’s AI and machine learning are designed to detect threats without any pre-existing knowledge of attacker targets, tools, or capabilities. While traditional security tools depend on specific Indicators of Compromise to identify malicious activity, Darktrace instead focuses on behavioral changes that may point to an active compromise. Detection of Domain Generating Algorithms is just one example of Darktrace’s ability to pinpoint attacker C2 communications through the identification of behavioral anomalies.

DGA identification in action

Darktrace recently saw an employee of a healthcare company connecting a personal laptop to the corporate network. The employee was asked by another member of the organization to troubleshoot the laptop as a favor. Unbeknown to the employee, and despite the fact that anti-virus was installed, the laptop was compromised by an unknown strain of malware.

On joining the network, the compromised laptop made DNS queries for domains that Darktrace classified as 100% rare for the environment. These domains appeared to be dynamically generated as they were all between 25 to 30 characters long and used multiple top-level domains. Darktrace immediately triggered a high-scoring domain fluxing alert due to the sudden increase in failed DNS requests for abnormal domains.

Additional domain fluxing alerts were triggered within 30 minutes of the device joining the network. The only reason that this highly suspicious activity was allowed to persist for that period of time was that the security administrator was at lunch.

A sample of Darktrace network logs showing failed DNS requests for DGA domains.

Event logs showing domain fluxing identification within 14 seconds of the device joining the network.

Rapid containment

The security administrator was informed of the situation on his return and immediately performed incident triage with Darktrace. The administrator was able to rapidly assess the device’s connection history using Darktrace’s native filters that are designed to detect scanning, lateral movement, C2 communications, and egress. He then identified the location of the compromised laptop, disabled its internet access, and physically removed the device from the network.

The total time from initial connection to identification, containment, and removal of the compromised, rogue device was approximately 67 minutes. The administrator left the following comment for the Darktrace analyst team:

Darktrace Threat Visualizer shows multiple domain fluxing model breaches as a result of a high volume of failed DNS requests for suspicious, dynamically-generated domains.

Closing thoughts

Darktrace’s AI approach focuses on identifying anomalies in evolving patterns of behavior. Although the laptop was new to the network, no other device was seen making a high volume of failed DNS requests for similar DGA domains. Darktrace immediately identified this activity as anomalous and generated an alert within 14 seconds of the device joining the network.

By employing Darktrace, a single analyst was able to discover and assess a compromised, rogue device operating within the network environment in just over an hour. What’s more, with Antigena (Darktrace’s autonomous response solution) in place, all suspicious behaviors would have been temporarily suspended, in real time. Alternatively, the administrator could have manually authorized Antigena’s proposed actions via the Darktrace Mobile App.

No extensive analysis of distributed log files, PCAPs, or other security tools. No prior knowledge of the attacker’s infrastructure or the malware. Darktrace AI identified DGA domains that were being produced on the fly, without help. That’s the level our security technology must perform at if we are to keep on top of all the new tech in the modern attacker’s toolkit.

Max Heinemeyer

Max is a cyber security expert with over nine years’ experience in the field, specializing in network monitoring and offensive security. At Darktrace, Max works with strategic customers to help them investigate and respond to threats, as well as overseeing the cyber security analyst team in the Cambridge UK headquarters. Prior to his current role, Max led the Threat and Vulnerability Management department for Hewlett-Packard in Central Europe. In this role he worked as a white hat hacker, leading penetration tests and red team engagements. He was also part of the German Chaos Computer Club when he was still living in Germany. Max holds a MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.