How to avoid the crypto-minefield
The rise of cryptocurrencies such as Bitcoin and Ethereum, and their acceptance as a legitimate means of payment, has been well documented in the media over the past 12 months.
One reason for this attention is the use of cryptocurrencies by cyber criminals. Many ransomware variants – including June 2017’s global Wannacry outbreak - demand payment through Bitcoin due to the perceived anonymity of the parties involved in the transactions.
But while Bitcoin generally receives the majority of the media’s attention for being a criminal’s payment method of choice, smaller coins like Monero are designed to provide even more anonymity and privacy.
Monero (formally BitMonero) is a privacy-oriented digital currency that obscures the identities of both senders and receivers, with 'stealth addresses' generated for every transaction. This makes it impossible for anyone besides the address owner to discover the actual destination of transactions.
Usually, using a digital currency like Bitcoin will record transaction histories on a blockchain, so coins associated with certain events, such as theft, could be rejected by certain receivers. The blockchain used by Monero is different and does not reveal where funds came from or went to.
This provides a more opaque background for questionable coins and essentially makes the whole process anonymous; an attractive prospect for an attacker.
Criminal crypto-mining background
Cryptocurrency coins are created through a process called mining. This involves networks of computers executing cryptographic algorithms to generate an encrypted data string which denotes a unit of currency.
Mining coins has the potential to generate a substantial income for people who are willing to invest their money in the purchase of powerful hardware and their time in learning the mathematical processes involved. This has created communities of miners who pool their resources in order to increase profits and income stability.
There are also less-ethical miners who are seeking to forgo the need for hardware investment by spreading malware to infect as many computers as possible and install mining software. Large organisations with thousands of computers are often attractive targets for these criminal miners.
One of NCC Group’s clients was recently the target of such an attack.
The organisation is a global company with over 40,000 employees and is therefore a potentially significant crypto-mining resource for the attacker. Fortunately, the organisation was using NCC Group’s Managed Network Threat Monitoring (NTM) service, which provides 24/7 monitoring and response through the use of network sensors, analysing traffic against rules and known signatures.
Identifying illicit mining activity
NCC Group’s Security Operations Centre was initially alerted to traffic originating from an internal machine against multiple Tor nodes. This kind of activity is highly suggestive that Tor browsing activity had commenced from this internal machine.
While Tor isn’t inherently malicious, using it can be against company policy due to the multiple risks associated with using the software within a company infrastructure. This recommendation was made to the customer and as a result this traffic was immediately investigated and blocked.
Within hours this activity had propagated into traffic from multiple internal machines against Tor nodes. This further activity was urgently raised with the customer along with the recommendation that these machines should be removed and reimaged in order to ensure the removal of any malware present (that may have been using the anonymous browser).
Triage & further alerts
Within an hour, NCC Group had observed traffic from over ten internal hosts to multiple Tor nodes. At this point the severity was increased and our incident response team was deployed.
Looking at the traffic in depth, we were able to catch the internal machines spamming random hosts over Server Message Block (SMB); a similar spread method to that of a ransomware outbreak. By following the traffic it showed that it was calling out and joining a Monero mining pool, which we presumed was to allow it to install the mining application and steal CPU cycles.
Following this discovery the client was immediately contacted and advised to block access to the Monero mining pool, block access to Tor wherever possible, and block any outbound SMB on specific ports. In addition, we advised the customer to check their logs in order to assist with the identification of any further infected hosts. Unfortunately, we also found evidence of actual mining on one machine, so it is possible further machines had also been used for this purpose. Within just 12 hours we found that a total of 14 different hosts were observed issuing DNS requests for the Monero mining pools.
The attack method
Attackers have been exploiting many different vulnerabilities in Microsoft Windows to download the crypto-miner and having an unpatched machine makes a user extremely vulnerable to this kind of attack. In this particular case the organisation had been running unpatched machines and fell victim to this exploit. Having seen the amount of SMB traffic we can speculate that in this case the exploit used was similar to EternalBlue.
Protecting against the crypto-minefield
A multi-layered approach to cyber defence is required to avoid donating CPU cycles (and the associated electricity costs) to unscrupulous crypto-miners. Good security hygiene, such as staying up to date with patching and educating users on phishing, is essential. In addition, visibility of traffic coming from a user’s PC to a suspicious domain is vital. The NCC Group Managed NTM service can not only give you visibility of this but also other indicators of compromise which may not necessarily be picked up by an intrusion detection system, as these often rely on signatures of known exploits.
Published date:  02 February 2018
Written by:  Dominic Carroll and Eleanor McNicholas