Students at St. Francis Xavier University in Nova Scotia were caught off guard recently as they logged online to check their grades and work on projects as they headed towards semester finals. To their surprise, the school’s network was shut-down to thwart a Bitcoin-associated crypto mining attack.
“The university’s swift response affected basic access to network resources such as Wi-Fi and educational software application Moodle. Meanwhile, student payment cards and debit transactions were temporarily inoperable,” reports IBM’s Security Intelligence.
The attack happened on November 8, and weeks later, the university’s systems are still not fully back online. While the exact method hackers used to breach the system still isn’t clear, speculation has been on a tried and true trojan (i.e. the email that looks like it’s from your bank, but it isn’t).
One of the oldest tricks in the book
When ancient Greek scribes wrote the history of Troy and the imagination-capturing Trojan Horse attack that allowed the city to fall after a 10-year siege, they probably never imagined that this cunning ruse would still be in use over 2,000 years later. Of course, today’s “Troy” isn’t the city found in Homer’s poem The Odyssey, instead, it’s your computer. Or in the case of St. Francis Xavier University, the entire network.
Trojan malware has been imparting viruses for almost as long as malware has been around. Through a combination of education and seamless security, MSPs have come a long way to neutralizing trojans. However, trojan attacks are evolving. No longer as successful in getting your banking information as they once were, hackers are shifting their goals.
Trojans meet cryptos
What MSPs need to be aware of is the convergence of cryptocurrency and traditional trojan techniques. That’s because cryptocurrency solves some of the problems that garden-variety ‘steal your bank account information’ can’t, namely: how to get the money.
“In the traditional use of malware, it is easy to steal victim’s money but bringing the money to where criminals are operating from is the most difficult part,” shares Nir Kshetri, a cybersecurity professor from the University of North Carolina-Greensboro.
Kshetri tells SmarterMSP that some international cybercriminals even go so far as to send people to the victims’ country to collect the funds. Or they co-opt unwitting money mules to move around the cash, but that is an expensive, risky, and often low success strategy.
Ransomware solves many of these issues for hackers, Kshetri says, because it eliminates the need for mules and it creates a direct victim-to-hacker payment pipeline. However, the payout rate of ransomware is relatively low.
“Consider WannaCry, a ransomware which infected about 300,000 computers in 150 countries. In this case, the number of infected computers that complied with the demands was about 0.06 percent,” Kshetri says.
This is where cryptocurrency and the old-fashioned trojan becomes very attractive to the time-pressed hacker. An unwitting victim may open a perfectly innocuous-looking email from a source that isn’t suspect with an undetectable payload and begin the cryptomining process. In this sense, it is a true trojan the Greeks envisioned in Homer’s era: undetectable.
“Cryptomining is one way to make use of all infected computers. Cybercriminals often prefer to employ techniques to maintain stealth-lines. Crypto-malware is perfect for this,” Kshetri says. While Bitcoin grabs headlines, it is currencies like Monero that tout their privacy and lack of traceability by hiding the transactions sender, receiver, and money amount.
“To achieve this, Monero mixes ’coins’ with other forms of payment. This makes it nearly impossible to link a transaction to any particular identity or previous transaction from the same source when you search Monero’s blockchain,” Kshetri says.
Cryptomining can slow down networks and cause severe spikes in power usage. And in some cases, whole networks can be compromised. Just ask the students at St. Francis Xavier.
“I would not consider this as a victimless crime. For some users, being forced to work with a slow computer all the time might be even more painful than paying a ransom (which was about $300-600 for WannaCry),” Kshetri explains. Moreover, another risk is that once a user is infected, the criminal has breached your network and is able to do more damage when a future opportunity arises.
Putting better defenses in place
Kshetri says MSPs should make sure software is updated regularly. Cryptocurrency criminals are heavily targeting unlicensed products, so it is important to not cut corners. Unlicensed products, according to Kshetri, are rampant in Asia. Bangladesh and Pakistan have, not coincidentally, have seen some of the highest rates of cryptocurrency mining. Unlicensed software is still a problem in many businesses across the United States, which is why MSPs need to be vigilant at rooting it out when taking over an existing network — the vast majority of MSPs using unlicensed software isn’t the issue, it’s inheriting it in an existing network when signing on a client.
When taking on the care of a new customer’s network, it can be easy to overlook unlicensed software. There’s the excitement of having a new client, shorting up traditional defenses, getting paperwork in order, which means checking licensing can get pushed back. With miners on the prowl, checking licensing should be a top priority for service providers.