On Friday June 7, I had the pleasure of being invited back a second time to speak students in the cybersecurity program at Sheridan College’s Faculty of Applied Science and Technology. This is such a great way to encourage the next generation, to give back to our security community, and I honestly think I’m the one who learned more from the students in our fun discussions afterward! Thank you so very much for asking me.
As promised, a little overdue, here are my slides and I hope they are helpful.
Over the past two years we have seen an evolution in botnets from instruments of mass disruption to exploit-enhanced armies amassed from hundreds of thousands of vulnerable IoT devices used for cryptomining and control.
Attackers have turned from ransomware to miners in their quest for monetization, seizing the opportunity for a guaranteed return on investment. No risk, no overhead, no ransom. There is a wealth of resources in enterprise environments to feed the high CPU and energy demands of hungry miners while evading detection. Attackers are leveraging widespread critical vulnerabilities on enterprise systems to gain access and propagate. And once inside those data-rich enterprise networks – there are other opportunities to be mined for both criminals and nation state attackers.
As we move past outages to destructive payloads what should we expect
when weaponization meets automation? That’s what I wanted to do with this talk – present the evolution of botnets and miners from annoyance to adversary, and discuss how we need to reassess our attack surfaces from IoT to enterprise.
Since January 2018, when I first read about the massive cryptomining botnet, Smominru, I was hooked and had to learn more about how hundreds of thousands of vulnerable IoT devices could become zombies in a botnet army that was used to mine bitcoin. Last year I spoke on the rapid evolution of botnets, but cryptominers have taken on a life of their own, and present an increasing threat to enterprise systems, which are often behind in patching cycles and therefore vulnerable to opportunistic attackers, ready with exploits.
When it comes to botnets, we perceive an increasing attack surface in terms of IoT devices, but malevolent cryptominers have discovered the land of opportunity in enterprise systems, where there is an abundance of CPU power and energy sources so they are less detectable. Botnets have increased by more than 500% since 2017, and there has been a fifteen-fold increase in cryptomining across 2018 into 2019. Attackers have leveraged sophisticated exploits from the Shadowbrokers stolen cache of NSA goodies, like Eternal Blue to gain access and spread. But they are also making the most of Windows systems and internals, utilizing Powershell, and “living off the land” to
With a guaranteed return on investment at almost no cost and no risk, cryptominers present a “nothing to lose, everything to gain” incentive for criminals and attackers. But how seriously are they being taken as a threat by organizations? In my opinion, not seriously enough. While current facts may not show them as a blip on the threat radar screen, the tactics and evolution warn of what is coming. I’ve tried to share two years of my fascination and research on how botnets and cryptominers have moved from annoyances against individuals to weaponized attacks on enterprise systems.
The simple fact is, you won’t find what you’re not looking for. Enterprise systems don’t have a great detection rate for cryptominers. My objective is to create awareness around how attackers are leveraging current enterprise vulnerabilities in conjunction with
sophisticated exploits so that botnets and miners evade detections in place. Because once they’re in your network, they can do a lot more than mine bitcoin.
I provide some details on which CVEs, which exploits, and which tactics are being used by attackers; which ports should be monitored and are used by miners; how Linux, Docker and Mac are now targets; and articles and sources on recent attacks. Some attacks I use to illustrate are:
- Kingminer: bruteforce entry on servers running MS IIS/SQL, disabling
configuration file with API for evasion
- PSMiner: backdoor Trojan cryptominer targeting Linux and MacOS via
- Docker Rigs: Cryptojacking campaigns on vulnerable docker rigs
leveraging CVE-2019-5736 to overwrite the runc binary and create a
container escape to write arbitrary code
- Smominru: Massive cryptomining rig leveraging EternalBlue and WMI
WireX: Botnet of Android devices infected through Google Playstore
apps to connect them to a headless Web browser and encrypt malicious
traffic using SSL
CVEs/Vulnerabilities used for RCE:
- CVE-2012-0874: JBoss Enterprise Application Platform Multiple Security
- CVE-2010-1871: JBoss Seam Framework
- JBoss AS 3/4/5/6: CVE-2017-10271: Oracle WebLogic wls-wsat Component
- CVE-2018-2894: Vulnerability in the Oracle WebLogic Server component
of Oracle Fusion Middleware.
- Hadoop YARN ResourceManager – Command Execution
- CVE-2016-3088: Apache ActiveMQ Fileserver File Upload
So, yeah, if you’re working in a medium to large organization then chances are excellent you’ve got some of the above in your enterprise network environment. Do I need to remind you about those active exploits against Oracle WebLogic – again? Go patch!