Goodbye Gateway Appliances.
   Hello Secure Cloud Gateway.


The Many Forms of Cryptocurrency Exploits

While the prices on cryptocurrencies have been all over the place in recent months, it is certainly attracting a different kind of attention from the criminal world that views them as malware opportunities. These attacks take numerous forms, including stealing funds from digital wallets, attacking currency exchanges, deploying hidden mining and initial, coin offering (ICO) exploits.

Their motivations are pure greed. One estimate has the average mining exploit generating $500 a day for each compromised PC. That can add up quickly, especially as some botnets control thousands of machines. And to make matters worse, these schemes are growing more sophisticated and getting harder to detect and prevent, placing a burden on IT staffs to root them out across their networks.

The first major exploit was seen by the DAO joint Ethereum investment fund back in 2016, which suffered a DDoS attack and eventually had to shut down. While that grabbed major headlines, there have been other, less-publicized attacks on exchanges. Let’s look at some of the more recent examples.

Mining exploits

A number of cryptocoin mining exploits have flourished in the past year. Typically, they install the mining malware through the browser and phishing attacks. Some of the browser-based scripts continue to run even after a browser session is closed, which means they are stealing CPU cycles from these computers. Here are a few recent examples:

  • One researcher has observed an unknown threat actor attempting to deploy a Monero cryptocurrency miner to multiple customers. The threat leveraged a piece of software called Kaseya’s Virtual Systems Administrator agent to gain unauthorized access to multiple customer assets.
  • A Chrome extension called Archive Poster that has over 105,000 users has been deploying the hidden Coinhive in-browser cryptocurrency miner. This began in late December and is still being seen around the globe. The miner hides inside a Javascript file and has been through several upgrades, so its authors are still very active. The extension does not ask for user permission before hijacking their CPUs to mine Monero anytime the Chrome browser is open.
  • The Neptune exploit kit has been found in numerous places. It enables threat actors to hide their mining payloads in seemingly innocuous hiking advertisements.
  • Nearly 5,500 WordPress sites are infected with a malicious script that logs keystrokes and sometimes loads an in-browser cryptocurrency miner. It can be placed in various locations on the WordPress blog.
  • Two other attempts use older vulnerabilities in DotNetNuke and Apache Struts to install these hidden Monero miners. These attacks have netted their authors $12,000 at current exchange rates.
  • Researchers have found a fileless attack that uses the web browser to mine cryptocoins. That attack begins with a phishing email offering a free AWS gift card.
  • Three popular exploits are Adylkuzz, Zealot and CoinMiner. All use code from the NSA’s EternalBlue archive (which was the source of last year’s WannaCry ransomware outbreak) to infect other endpoints once they reach one PC on a network.
  • NiceHash said it lost about $64 million worth of bitcoin during an attack on its systems in December. The legitimate Slovenian-based bitcoin trading marketplace enables customers to mine for cryptocurrencies by leveraging unused CPU cycles.


Wallet-based exploits

A second major infection source to obtain cryptocurrency is more direct. This involves just stealing it from individuals’ digital wallets. Usually, when we think about attacks on particular destination sites, we tend to focus on a point in time when the breach occurs, and how a company should have done a better job at defending themselves leading up to that moment. Here is where the IotaSeed attack differs and is worth closer examination. Over the past several months, a hacker systematically set up a very careful scheme to steal about four million dollars from various users’ digital wallets. He used a combination of misdirection, bad random-number generators, social media come-ons, and phishing emails to grab the cryptocoins.

Another wallet-related exploit is how hackers have hijacked DNS servers for the Lumen cryptocurrency, stealing over $400,000. According to statistics, this eighth most popular cryptocurrency in use.


ICO-based exploits

As the number of cryptocurrency and blockchain-related startups explodes, criminals are looking to leverage their funding events, called ICOs. Hackers apparently sent fraudulent pre-ICO messages to users of the startup Experty who had signed up for announcements. Experty is a VOIP service that allows for secure payments based on its own blockchain. The phishing messages urged potential investors to act quickly to obtain an added bonus. More than seventy people paid into the criminal’s Ethereum account.

In another situation, criminals replaced the Ethereum address on the Enigma cryptocurrency investment platform with their own address and collected $500,000 in investment funding for the startup before anyone from the company noticed the change. The replacement was a simple password attack that helped the actors gain access to the Enigma website’s HTML page. The funds were eventually returned once the hack was discovered. What is notable about this attack was how simple it was, yet how effective. (Well, at least until it was discovered.)


Defensive measures

So, given the broad scope and focus of these attacks, what can IT managers do to protect themselves? First, make sure your endpoint protection tools can detect these types of exploits. Consider upgrading browser versions to ensure the latest built-in protection is available. Look at your outgoing connection logs for the typical mining patterns and access to digital wallets. Familiarize yourself with Monero, which seems to be the more popular cryptocurrency that thieves tend to mine.

Finally, you should educate your users about ICOs and warn them against personally investing in any ICO venture. Alex Studer, the Dalton high school student who uncovered the IotaSeed exploit, says in his post, “You should never rely on online services, like seed generators or web wallets, for holding any amount of currency you care about, and you should make sure that you use software that is open source and has been carefully reviewed and audited by the community.” Wise words to certainly heed.


David Strom is one of the leading experts on network and Internet technologies and has written and spoken extensively on topics such as VOIP, convergence, email, cloud computing, network management, Internet applications, wireless and Web services for more than 25 years. He has had several editorial management positions for both print and online properties and currently writes for Dice, Techtarget's, and Network World. Find him on Twitter @dstrom and on his website


Want to learn how to analyze network traffic in your organization? Read the Reducing Dwell Time with Behavioral Analytics Whitepaper