Bitcoin Security: Mining Threats You Need to Know

The value of Bitcoin has had its ups and downs since its inception in 2013, but its recent skyrocket in value has created renewed interest in this virtual currency. The rapid growth of this alternative currency has dominated headlines and ignited a cryptocurrency boom that has consumers everywhere wondering how to get a slice of the Bitcoin pie. For those who want to join the craze without trading traditional currencies like U.S. dollars (i.e., fiat currency), a process called Bitcoin mining is an entry point. However, Bitcoin mining poses a number of security risks that you need to know.

What Is Bitcoin Mining?

Mining for Bitcoin is like mining for gold—you put in the work and you get your reward. But instead of back-breaking labor, you earn the currency with your time and computer processing power. Miners, as they are called, essentially maintain and secure Bitcoin’s decentralized accounting system. Bitcoin transactions are recorded in a digital ledger called a blockchain. Bitcoin miners update the ledger by downloading a special piece of software that allows them to verify and collect new transactions. Then, they must solve a mathematical puzzle to secure access to add a block of transactions to the chain. In return, they earn Bitcoins, as well as a transaction fee.

What Are Bitcoin Security Risks?

As the digital currency has matured, Bitcoin mining has become more challenging. In the beginning, a Bitcoin user could mine on their home computer and earn a good amount of the digital currency, but these days the math problems have become so complicated that it requires a lot of expensive computing power. This is where the risks come in. Since miners need an increasing amount of computer power to earn Bitcoin, some have started compromising public Wi-Fi networks so they can access users’ devices.

One example of this security breach happened at a coffee shop in Buenos Aires, which was infected with malware that caused a 10-second delay when logging in to the cafe’s Wi-Fi network. The malware authors used this time delay to access the users’ laptops for mining. In addition to public Wi-Fi networks, millions of websites are being compromised to access users’ devices for mining. When an attacker loads mining software onto devices without the owner’s permission, it’s called a cryptocurrency mining encounter or cryptojacking.

It’s estimated that 50 out of every 100,000 devices have encountered a cryptocurrency miner. Cryptojacking is a widespread problem and can slow down your device; though, that’s not the worst that can happen. Utility costs are also likely to go through the roof. A device that is cryptojacked could have 100 percent of its resources used for mining, causing the device to overheat, essentially destroying it.

What Are Some Bitcoin Privacy Tips?

Now that you know a little about mining and the Bitcoin security risks associated with it, here are some tips to keep your devices safe as you monitor the cryptocurrency market:

• Avoid public Wi-Fi networks: These networks often aren’t secured, opening your device and information up to a number of threats.
• Use a VPN: If you’re away from your secure home or work network, consider using a virtual private network (VPN). A VPN is a piece of software that gives you a secure connection to the Internet, so that third parties cannot intercept or read your data. A product like McAfee+ can help safeguard your online privacy no matter where you go.
• Secure your devices: New Bitcoin threats, security concerns, and malware are emerging all of the time. Protect your devices and information with comprehensive security software

The post Bitcoin Security: Mining Threats You Need to Know appeared first on McAfee Blog.

Alert: OracleIV DDoS Botnet Targets Public Docker Engine APIs to Hijack Containers

Publicly-accessible Docker Engine API instances are being targeted by threat actors as part of a campaign designed to co-opt the machines into a distributed denial-of-service (DDoS) botnet dubbed OracleIV. "Attackers are exploiting this misconfiguration to deliver a malicious Docker container, built from an image named 'oracleiv_latest' and containing Python malware compiled as an ELF executable

Cloud Security: Don’t wait until your next bill to find out about an attack!

Cloud security is the best sort of altruism: you need to do it to protect yourself, but you help to protect everyone else at the same time.

The Life Cycle of a Compromised (Cloud) Server

Trend Micro Research has developed a go-to resource for all things related to cybercriminal underground hosting and infrastructure. Today we released the second in this three-part series of reports which detail the what, how, and why of cybercriminal hosting (see the first part here).

As part of this report, we dive into the common life cycle of a compromised server from initial compromise to the different stages of monetization preferred by criminals. It’s also important to note that regardless of whether a company’s server is on-premise or cloud-based, criminals don’t care what kind of server they compromise.

To a criminal, any server that is exposed or vulnerable is fair game.

Cloud vs. On-Premise Servers

Cybercriminals don’t care where servers are located. They can leverage the storage space, computation resources, or steal data no matter what type of server they access. Whatever is most exposed will most likely be abused.

As digital transformation continues and potentially picks up to allow for continued remote working, cloud servers are more likely to be exposed. Many enterprise IT teams, unfortunately, are not arranged to provide the same protection for cloud as on-premise servers.

As a side note, we want to emphasize that this scenario applies only to cloud instances replicating the storage or processing power of an on-premise server. Containers or serverless functions won’t fall victim to this same type of compromise. Additionally, if the attacker compromises the cloud account, as opposed to a single running instance, then there is an entirely different attack life cycle as they can spin up computing resources at will. Although this is possible, however, it is not our focus here.

Attack Red Flags

Many IT and security teams might not look for earlier stages of abuse. Before getting hit by ransomware, however, there are other red flags that could alert teams to the breach.

If a server is compromised and used for cryptocurrency mining (also known as cryptomining), this can be one of the biggest red flags for a security team. The discovery of cryptomining malware running on any server should result in the company taking immediate action and initiating an incident response to lock down that server.

This indicator of compromise (IOC) is significant because while cryptomining malware is often seen as less serious compared to other malware types, it is also used as a monetization tactic that can run in the background while server access is being sold for further malicious activity. For example, access could be sold for use as a server for underground hosting. Meanwhile, the data could be exfiltrated and sold as personally identifiable information (PII) or for industrial espionage, or it could be sold for a targeted ransomware attack. It’s possible to think of the presence of cryptomining malware as the proverbial canary in a coal mine: This is the case, at least, for several access-as-a-service (AaaS) criminals who use this as part of their business model.

Attack Life Cycle

Attacks on compromised servers follow a common path:

Initial compromise: At this stage, whether a cloud-based instance or an on-premise server, it is clear that a criminal has taken over. Asset categorization: This is the inventory stage. Here a criminal makes their assessment based on questions such as, what data is on that server? Is there an opportunity for lateral movement to something more lucrative? Who is the victim? Sensitive data exfiltration: At this stage, the criminal steals corporate emails, client databases, and confidential documents, among others. This stage can happen any time after asset categorization if criminals managed to find something valuable. Cryptocurrency mining: While the attacker looks for a customer for the server space, a target attack, or other means of monetization, cryptomining is used to covertly make money. Resale or use for targeted attack or further monetization: Based on what the criminal finds during asset categorization, they might plan their own targeted ransomware attack, sell server access for industrial espionage, or sell the access for someone else to monetize further.

 

Often, targeted ransomware is the final stage. In most cases, asset categorization reveals data that is valuable to the business but not necessarily valuable for espionage.

A deep understanding of the servers and network allows criminals behind a targeted ransomware attack to hit the company where it hurts the most. These criminals would know the dataset, where they live, whether there are backups of the data, and more. With such a detailed blueprint of the organization in their hands, cybercriminals can lock down critical systems and demand higher ransom, as we saw in our 2020 midyear security roundup report.

In addition, while a ransomware attack would be the visible urgent issue for the defender to solve in such an incident, the same attack could also indicate that something far more serious has likely already taken place: the theft of company data, which should be factored into the company’s response planning. More importantly, it should be noted that once a company finds an IOC for cryptocurrency, stopping the attacker right then and there could save them considerable time and money in the future.

Ultimately, no matter where a company’s data is stored, hybrid cloud security is critical to preventing this life cycle.

 

The post The Life Cycle of a Compromised (Cloud) Server appeared first on .