The Trending Target of Crypto Miners: Your Web Application
In this article, we examine the way in which hackers use remote code execution (RCE) exploits in web applications to mine cryptocurrency.
Join the DZone community and get the full member experience.Join For Free
At the beginning of every year, the media covering cybersecurity is hot on predictions for the coming year. Just Google " cybersecurity predictions" and you'll see what I'm talking about. Most of you may already know this is an annual ritual in the industry. However, cybersecurity does not have a monopoly on predictions in the media. Have you heard anything recently about cryptocurrencies? It too enters the new year with its share of "cryptocurrency predictions."
Fortunately, this post is not about more predictions for 2018. However, this post is about a trend that has been a bit more noticeable as we've kicked off the new year. This trend has to do with both cybersecurity and cryptocurrency. It's no surprise to anyone that where there is money, there will be the need for security. I can't go on without referencing the well-known quote by Willie Sutton when asked why he robbed banks, "I rob banks because that's where the money is." Unless you've been able to successfully avoid all media outlets on the Internet, I'm sure you've heard something about cryptocurrency. Perhaps you even ventured out and acquired some Ethereum, Ripple, or Monero for yourself. The impressive explosion of cryptocurrency valuations brought about more than a broader interest, but a rapid mania in this digital asset.1 Do you sense some predictions coming in this post?
The trend I want to highlight is the use of remote code execution (RCE) exploits in web applications, to mine cryptocurrency. In this scenario, as a victim, the attacker is not after any digital assets you have, e.g. customer data, credit cards, trade secrets, etc. The attacker is after your computer power. Now, attackers stealing CPU to mine cryptocurrency isn't really all that new. However, the recent mania has sparked an incredible amount of interest in profiting in the approximately $568 billion cryptocurrency market.2 Also, as you may or may not realize, there are over 1400 coins in the market. This compounds the opportunity for profit.
The first incident...
PeopleSoft and WebLogic app servers, as well as cloud systems using WebLogic, hacked and used to net some $226K in digital currency.
The second incident...
Ruby RCE pushing Monero Coinminer
The third incident...
Struts and DotNetNuke Server Exploits Used For Cryptocurrency Mining
It's not just web applications being targeted. Malware campaigns have been focusing on cryptocurrency. One recent example is published by Palo Alto Network's Research Center.
And, of course, this list wouldn't be complete without the Willie Sutton style heist, "Bitcoin Exchange Hit By Armed Robbers in Thwarted Theft."
What's the Takeaway?
With this recent trend, the attack surface hasn't expanded or changed in any way. In the three incidents referenced above, the attackers were targeting known vulnerabilities in web applications. What I suggest has expanded is the threat actors and their motivation to target your applications and infrastructure. The number of threat actors you face has expanded because there are individuals with the capability to launch RCE exploits against your web applications that were not previously motivated to do so. But with new motivation to get an instant payoff with low risk, these individuals are now your adversary.
In addition to these new threat actors, if your organization did not view nation-state actors as a high risk, your server compute power is now a target by nation states. The primary example being North Korea as they may be using cryptocurrency as a source of funding and to skirt around sanctions.3
What Should You Do?
Hopefully, you have already prepared your applications and infrastructure to defend against this expansion of threat actors. This means you have a vulnerability and patch management process in place. You perform application security reviews to identify and remediate critical vulnerabilities, like RCE. In addition, preparedness means having application and server monitoring in place.
The first layer of monitoring is the application layer, which provides visibility to attack and anomalous traffic. The second layer is monitoring application host resource consumption. In the case of cryptocurrency mining, are you monitoring for a rapid spike in CPU utilization across all your servers? If the answer is yes, then you are in decent shape to detect a successful attack, if not, you have some work to do.
There is also the question of the risk to your business. After all, if the breach only results in CPU consumption, at least it is not a loss of sensitive data. A few thoughts on this are:
- If you operate in a cloud environment, and the CPU consumption goes on for a long period of time, will you run the risk of an extremely high, and extremely unexpected, bill from your cloud provider.
- The CPU consumption may cause a miserable experience for your application users. The application may be accessible, but effectively unusable.
- The attacker may have motives beyond cryptocurrency mining. For example, they sell access to your servers for other malicious purposes. In addition, it could be difficult to prove they haven't accessed sensitive data on your systems.
The trend of cryptocurrency popularity and demand is starting to pick up steam. Cryptocurrency is here to stay. As a result, the pool of capable threat actors will continue to expand. To defend your applications, infrastructure, and business you need a robust patch management process and monitoring capability. At the beginning of this post, I stated it would not contain more predictions. Well... I thought of one. I can predict that 2018 is going to be a very interesting year, for both cybersecurity and cryptocurrency.
- To get a sense of the mania just browse headlines, aggregated here https://foomoney.net/crypto. Disclaimer: this is a news aggregation site I publish, which also uses CoinHive to mine in your browser. This is part experimentation, and part me joining the mania. More about CoinHive here.
- Market cap as of this writing from https://coinmarketcap.com/.
- "New Cryptocurrency Mining Malware Has Links to North Korea," Dark Reading.
Published at DZone with permission of Phillip Maddux, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.