2019 Cybersecurity Insights -11

2019 Cybersecurity Insights -11

July 15, 2020 | Mina Hao

Cryptomining Traffic

Based on all sorts of security alert data from NSFOCUS Managed Security Service (MSS), we made a quantitative analysis of cryptomining activities and hosts in enterprises in 2019 and found that the cryptomining topicality is positively correlated with the cryptomining market trend.

JPMorgan Chase, a Wall Street bank tycoon, launched JPM coin 1 in February 2019. Avnet, a company listed on Fortune Global 500, becomes the third major technology company 2 that accepts Bitcoin for payment. All these signals encouraged hackers to feverishly carry out cyptojacking activities. In May, Binance, the world’s biggest cryptocurrency exchange, had 7000 Bitcoins 3 stolen from its hot wallet. The poor security of cryptocurrency exchanges had provoked panic among investors, resulting in a big drop in the popularity of the cryptomining market. In July, Facebook released the Libra 4 whitepaper, sparking intense debates among regulatory bodies around the world. As the cryptocurrency community
attracted worldwide attention, the Bitcoin price soared to $12,000 and cryptomining activities had reached their climax. In October, the trading of Bakkt 5 ‘s Bitcoin futures saw a slow start at launch which was touted as an important channel for capitals to go to the cryptocurrency market. Then came the closure of multiple American trading platforms. As the cryptomarket was badly hit once again, cryptocurrency activities were progressively reduced.

Monero is an untraceable anonymous cryptocurrency that obfuscates sending and receiving addresses as well as transacted amounts. Its anonymity makes it the most popular cryptocurrency circulating on
the dark web market. We made a further analysis of specific cryptomining activities throughout 2019 as shown in Figure 5-20 and found that 60% of cryptomining behaviors were performed by Monero miners requesting the domain name of the mining pool. The WannaMine worm, with the second largest proportion of cryptomining behaviors, had a new variant WannaMine4.0, at the beginning of 2019, which still uses the original attack means, i.e., exploiting the EternelBlue vulnerability to infect a large number of intranet hosts for malicious cryptomining.

Figure 5-20 shows the distribution of cryptomining victims by sector. It can be seen that small and medium-sized enterprises were favorite targets of cryptominers, making up 80% of cryptomining victims. For these malicious activities, attackers usually intruded into and controlled cryptomining hosts
by scanning for common vulnerabilities in batches. This demonstrates that maintenance staff in those enterprises lack basic security awareness.

Besides ports 80 and 443, attackers tended to use rare ports to connect to the cryptomining pool. As shown in Figure 5-21, port 3333 was the most favored port of cryptominers. According to the distribution of cryptomining activities by port range, ports in the range of 3000–3999 were used most frequently, involving 43% of all ports used by cryptomininers. Ports ranging from 5000 to 5999 came second, with a percentage of 13% of the total. As specific cryptomining ports and cryptomining pool addresses are part of behavior patterns of attackers of malicious cryptomining, enterprises can prevent this kind of activities by blocking cryptomining ports.

Website Cryptomining

Website cryptomining refers to a process of malicious cryptomining implemented via automatic JavaScript execution to consume considerable computer resources without the knowledge of a user tricked into accessing a website on which such JavaScript is planted. Instead of planting a cryptomining trojan on a host, an attacker of this type can reduce a user’s host to a cryptomining host simply by tricking the user into accessing a malicious page.

To measure the impact of such attacks, we analyzed the source code of top 1 million websites by Alex Rank and found 2567 cryptomining domain names that mainly mined Monero with heaviest use of the Coinhive cryptomining script.

As shown in Figure 5-22, cryptomining websites were scattered in different Alexa ranking intervals, with 330 included in top 100,000 websites. Cryptomining gains are directly associated with website visits. That is to say, a website with more visits is ranked better and rakes in higher cryptomining profits.

According to the distribution of cryptmining website types shown in Figure 5-23, we can see that cryptoming websites for business and entertainment dominated with a percentage of 22% and 19% respectively. This is because this kind of websites have larger access traffic. In addition, some website owners proactively embed cryptomining scripts into personal websites or blogs to increase their own cryptomining gains by using visitors’ computer resources. Such practice, however, greatly affects user experience.

Cryptomining Botnets

By aggregating attack behaviors performed by attack sources that used Telnet extensively for intrusion, we made a correlative analysis of the related list of weak passwords for cracking and malicious samples and identified a botnet that mined Monero. This botnet first broke into a host by cracking a weak password, so as to plant an RSA public key or botnet to take control of the host. Then it used a downloader to download a Monero cryptomining virus to execute the script matching the host type, thereby implementing malicious cryptomining and reaping benefits using the controlled network resources.

Figure 5-24 shows the overall situation of the cryptomining botnet. According to a rough estimate, this botnet controlled tens of thousands of zombies and was found most active in July in which the number of zombies topped at nearly 600 in a single day in 2019. Most zombies resided in China (2119) and the USA (1335). A total of 6681 zombies opened port 22, making up 65% of the total. According to known asset intelligence, 12% of all zombies were identified as IoT devices, with routers and cameras as dominant players. As for weak passwords for cracking, this botnet used nproc-nproc most frequently. Though related samples could not be downloaded from the sample server currently, we observed that there was still a modest increase in activities of this botnet.

For the complete analysis of this botnet, refer to a post 1on NSFOCUS Research Communications.

To be continued.