CSO Online has a good primer on how to detect and prevent crypto mining malware:

Unfortunately, crypto mining traffic can be very difficult to distinguish from other types of communications. The actual messages are very short, and malware writers use a variety of techniques to obfuscate them. “It’s extremely difficult to write a rule for something like this,” Vaystikh says. “So not many companies can detect it. Pretty much every organization above 5,000 employees has the data already — the only problem is that it is very, very hard to go over the huge amounts of data that they have.”

SecBI’s Autonomous Investigation technology deals with this issue by using machine learning to look for suspicious patterns in the vast sea of data that come through corporate networks. There are thousands of factors that SecBI looks at, Vaystikh says. For example, crypto mining traffic is periodic, though malware writers will try to disguise the regular nature of the communication by, for example, randomizing the intervals.

Crypto mining also has an unusual message length. Incoming traffic, the hash, is short. The outgoing results are slightly longer. By comparison, with normal internet traffic, the initial request is short and the response is long. “In Bitcoin mining, I actually upload a little bit more than I download,” Vaystikh says. “That is something that we look for.” The technology can be applied to public cloud infrastructure like Amazon as well as to on-premises networks, he says.

Even if the traffic is encrypted — and 60 percent of all network traffic now is — the periodicity of the communications, the lengths of the messages, and other subtle indicators combine to help the system spot the infections. In fact, when crypto mining first showed up, SecBI’s platform flagged it as possibly malicious before it even knew what it was. “Now, after our users looked at it, they say, ‘Ah, it’s crypto mining!’ and the software now correctly classifies it as well,” Vaystikh says.

The entire article is a valuable resource for those unfamiliar with cryptocurrency and the mining malware actors and criminals are using these days. Outside of endpoint security technologies using signatures, sandboxing, machine learning, or behavioral analytic techniques, network-based detection may be difficult but also may be the best option.

Even the endpoint side has some issues, as there appears to be less-than-effective collaboration between browser developers and the security industry. So not all endpoint security is capable of detecting in-browser malware leveraging Javascript for malware deployment. Turning off Javascript in 2018 is impossible, as it would render 90% of the websites inaccessible or unusable. So generally, the best detection and prevention method may in fact be network-based tools like intrusion prevention systems and other similar technologies.

Dark Reading on cyber criminals using brute-force password attacks against open source e-commerce system Magento to steal credit card numbers and distribute cryptocurrency mining malware:

He describes the types of compromised websites as ranging from small to midsize organizations that had installed the Magento CMS for e-commerce transactions. Online retail stores appear to have been the mostly heavily affected, followed by healthcare and education websites, Kremez says.

“The actors exploit and monetize their Magento panel accesses in three unique ways depending on [the] sites,” he says.

The favored way is to install JavaScript sniffers on the compromised site for scraping payment card data, which is then later sold on Dark Web stores. If the breached website does not yield payment card data, the attackers resort to uploading cryptocurrency mining tools such as Coinhive.

The third tactic is to use the compromised site to host code — typically a phony Adobe Flash Player update — which, if executed, results in a data-stealing malware tool dubbed AZORult being downloaded on computers belonging to site visitors. AZORult in turn downloads Rarog, a Coinhive cryptocurrency miner on the user’s system.

The attackers have shown a tendency to update the malicious files daily in order to avoid detection by signature-based anti-malware tools, according to Flashpoint.

The Magento sites are initially compromised with a brute-force password attack to gain access to the administrative panel. In many cases it appears the default administrative credentials were never modified, and thus essentially offering free access to the malicious actors.

Overall, this is a fairly sophisticated operation. Not many attack groups have the wherewithal to update their malicious code daily to avoid signature-based detection tools. It takes a fair bit of work to make the changes and deploy them out to the thousand plus compromised Magento sites.

ZDNet is reporting Tesla failed to properly secure their Amazon Web Services servers, thus leading to a breach where the attackers were using them to mine cryptocurrency:

Researchers from the RedLock Cloud Security Intelligence (CSI) team discovered that cryptocurrency mining scripts, used for cryptojacking — the unauthorized use of computing power to mine cryptocurrency — were operating on Tesla’s unsecured Kubernetes instances, which allowed the attackers to steal the Tesla AWS compute resources to line their own pockets.

Tesla’s AWS system also contained sensitive data including vehicle telemetry, which was exposed due to the unsecured credentials theft.

“In Tesla’s case, the cyber thieves gained access to Tesla’s Kubernetes administrative console, which exposed access credentials to Tesla’s AWS environment,” RedLock says. “Those credentials provided unfettered access to non-public Tesla information stored in Amazon Simple Storage Service (S3) buckets.”

The unknown hackers also employed a number of techniques to avoid detection. Rather than using typical public mining pools in their scheme, for example, the threat actors instead installed mining pool software and instructed the mining script to connect to an unlisted endpoint.

Tesla essentially lives within connected services, and to make such an amateur mistake is surprising for the company. The attackers could have done a lot more damage, but were ultimately more interested in trying to make money than vandalism.

Ars Technica reports on what may be one of the largest malware-driven currency mining operations, currently generating more than $3 million in cryptocurrency thus far:

The unknown criminals generated the windfall over the past 18 months. The campaign has mainly exploited critical vulnerabilities on Windows computers and then, once gaining control over them, installing a modified version of XMRig, an open-source application that mines the digital coin known as Monero. While the group has used a variety of mining services, it has continued to dump the proceeds into a single wallet. As of last week, the wallet had received payouts of almost 10,829 Monero, which, at current valuations, are worth more than $3.4 million.

“The perpetrator, allegedly of Chinese origin, has been running the XMRig miner on many versions of Windows and has already secured him over $3 million worth of Monero cryptocurrency,” researchers at security firm Check Point wrote in a blog post. “As if that wasn’t enough though, he has now upped his game by targeting the powerful Jenkins CI server, giving him the capacity to generate even more coins.”

The Jenkins Continuous Integration server is open-source software written in Java for deploying and automating all kinds of tasks. With more than 1 million users, it’s one of the most widely used open-source automation servers. In January, independent researcher Mikail Tunç estimated that as many as many as 20 percent of Jenkins servers are misconfigured in ways that make serious hacks possible. The compromises cause slower performance and potential denial-of-service failures on compromised machines.

That is an unreal amount of money generated from such an insignificant amount of work.

The Guardian reports thousands of UK government web sites have been unwittingly infected with malware designed to force visitors into crytocurrency mining:

Late on Sunday, the website of the UK’s data protection watchdog, the Information Commissioner’s Office, was taken down to deal with the issue after it was reportedly infected by the malware.

The cryptojacking script was inserted into website codes through BrowseAloud, a popular plugin that helps blind and partially-sighted people access the web.

More than 5,000 websites have been flooded by the malware. Software known as Coinhive, which quietly uses the processing power of a user’s device to mine open source cryptocurrency Monero, appears to have been injected into the compromised BrowseAloud plugin.

Texthelp, which operates BrowseAloud, took its website down on Sunday while it tried to resolve the problem.

The National Cyber Security Centre confirmed the issue was being investigated, adding there was nothing to suggest members of the public were at risk after the malware attack.

One problem with using plugins, such as BrowseAloud, is that if the company developing the software is not reputable, or lacks the proper quality assurance, there is a risk for malware to be either purposely or inadvertently injected into the code. Although the details in this instance remain unknown while UK’s NCSC investigates, one does have to wonder how this happened when so many UK government web sites are reliant upon this accessibility plugin.

With the recent surge in bitcoin price I have been paying a lot of attention to cryptocurrency, especially the granddaddy of them all. This article makes an interesting, and thoughtful case that even those who are not participating in bitcoin mining are going to feel negative effects of the computational power required to mine the coins:

No one may be using Bitcoin, but we’re all paying for them.

Bitcoin analyst Alex de Vries, otherwise known as the Digiconomist, reports that the coin’s surge caused its estimated annual energy consumption to increase from 25 terawatt hours in early November to 30 TWh last week-a figure, wrote Vox’s Umair Irfan, “On par with the energy use of the entire country of Morocco, more than 19 European countries, and roughly 0.7 percent of total energy demand in the United States, equal to 2.8 million U.S. households.” Just one transaction can use as much energy as an entire household does in a week, and there are about 300,000 transactions every day.

Some Bitcoin enthusiasts claim that it will eventually become a mainstream currency, and that the cryptogovernance system upon which it’s built could actually help the environment.

The Bitcoin market is volatile, its future murky.

We don’t have time or resources to waste on Bitcoin.

Unlike cash, a Bitcoin cannot be printed or otherwise “Made” by a human.

In order to create one, a computer must access the Bitcoin network and solve a complicated math problem, a process known as “Mining.” But there are a finite number of Bitcoins that can be mined-21 million, to be exact-and as more Bitcoins are mined, the math problems get more challenging.