8/21/2018

Sponsored by
Anatomy of a Hack: How
Cryptojacking Works, Why It’s
Growing, Its Risks and
Detection

© 2018 Monterey Technology Group Inc.

 Made possible by

Thanks to

1
 8/21/2018

 Crypto mining
 2-ways crypto mining used without consent relevant to infosecurity
Preview of Key  Browser-based cryptojacking
 demo
Points  Targeted installation of crypto mining software
 demo

 How risky is this?

 How to prevent
 How to detect

Transaction
Transaction

Transaction

Transaction

Miner
Transaction
Miner
Crypto mining Miner

Miner Miner

2
 8/21/2018

To profit from
 You need to spend less on the equipment, space, power, cooling and
crypto mining bandwidth than you win in terms of cryptocurrency
 …. Or use someone else’s equipment, space, power, cooling and
bandwidth for free

Mining the
hard way

By Xiangfu [CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0)], from Wikimedia Commons

3
 8/21/2018

Pool
Mining the
Coinhive way

 Crypto mining pools are set up to allow many “participants” to pool

Illicit crypto their resources
 In one way or another illicit crypto mining use some kind of pool
mining  2-ways crypto mining used without consent relevant to info security
 Browser-based cryptojacking
 Targeted installation of crypto mining software

4
 8/21/2018

Targeted
installation of  An insider (typically privileged) installs crypto mining software on
systems at their employer
crypto mining
 An outsider gains access to an organization’s systems and finding no
software information of value, chooses to install crypto mining software instead
of launching ransomware attack

 ccminer

Targeted
installation of
crypto mining
software

5
 8/21/2018

 Crypto mining only requires CPU and Internet access

 No privileged access
 No access to file system
Crypto jacking  No ability to run EXEs
 Not even persistence
 This makes javascript engine in your web browser a perfect vehicle for
crypto mining
 CPU
 GPU

 Here’s what it takes to get a browser to start mining for you

 Register at Coinhive or another place
 Paste a few lines of javascript code into a webpage
 <script src="https://authedmine.com/lib/authedmine.min.js"></script>
<script>
var miner = new CoinHive.Anonymous('YOUR_SITE_KEY', {throttle: 0.3});

Crypto jacking // Only start on non-mobile devices and if not opted-out

// in the last 14400 seconds (4 hours):
if (!miner.isMobile() && !miner.didOptOut(14400)) {
miner.start();
}
</script>
 Wait for someone to load the page
 Here’s a page that demonstrates legit/honest crypto mining (no
consent per se) https://github.com/C0nw0nk/CoinHive

6
 8/21/2018

 Website owners
 Transparent
 Illicit
Crypto jacking  Compromised websites
 Routers
 Public Wireless Access Points
 Apps

Cryptojacking
via MitM

7
 8/21/2018

Cryptojacking
via
compromised
website

 Persistent drive-by cryptomining coming to a browser near you

 https://blog.malwarebytes.com/cybercrime/2017/11/persistent-drive-by-
cryptomining-coming-to-a-browser-near-you/

Cryptojacking  Not necessary to directly compromise website

 Insert Coinhive into themes and plugins for WordPress, Drupal, etc
 So website owners sometimes not even aware they are causing visitors’
devices to participate in mining pools
 Links to Coinhive embedden webpages on Facebook, Instagram,
Pinterest, LinkedIn
 MikroTik router and inject a copy of the Coinhive library inside all the
pages served through the router

8
 8/21/2018

 Productivity
 Battery
 Slowness
 “When dozens of machines get locked up at a company, or when
important work is lost due to a mining glitch, this can have a serious
effect on a organization’s network” - Wired
Risks  Liability
 Embarrassment
 SCADA
 Hardware damage
 Denial-of-service
 Power and cooling costs

 Targeted
 Application control
Prevention  Privileged account management
 Crypto-jacking
 Browser features and extensions
 Blocking outbound connections to crypto-mining sites
 Anti-malware

9
 8/21/2018

 Users begin opening tickets for slow PCs

 CPU usage departing from baseline
 JavaScript calls necessary for mining
 OpenGL?
 Obfuscation

How to detect  Outbound connections to known crypto-mining pools

 https://gitlab.com/ZeroDot1/CoinBlockerLists
 Hard to maintain because attackers have 2 reasons to setup their own
C&C intermediary
 Stealth
 Avoid Coinhive fees

 IOC strings
 Anti-malware products
 UEBA
 Process monitoring

Other benefits
of detecting  Indicative of possibly compromised components by outside attacker
crypto-mining  Indicative of possible malicious insider
 Catch them before they go further

10
 8/21/2018

Bottom line  Eric Sun will show us how their InsightIDR solution specifically helps to
detect crypto-jacking and more broadly unifies SIEM, UBA, ABA, and
EDR capabilities to provide real-time visibility and incident detection
across your network, endpoints, and cloud services.

2018 Monterey Technology Group Inc.

11
 8/21/2018

Who is Eric?
• Sr. Solutions Mgr,
Detection & Response

• Behavior analytics & risk

management background

• Crypto-enthusiast

Effective security requires a partnership between

Security, IT, and Development teams.

IT SECURITY DEV

Patch Vulnerabilities Assess Vulnerabilities Secure Applications

Deprovision Users Identify Attackers Secure App Infrastructure

Fix Misconfigurations Set Policy Secure App Users

12
 8/21/2018

X X

…but these teams

often operate in silos.

DEV SECURITY

Rapid7
powers the
practice of
SecOps
IT

13
 8/21/2018

The Rapid7
Insight IT

Platform

SECURITY

DEV

A Constant Pulse on Attacker Behavior

Project Heisenberg Honeypots

Rapid7 MDR, InsightIDR, InsightUBA Customers
(clusters)

14
 8/21/2018

Rapid7 Managed Detection &

Response
~20 billion events/day

Post Pre-
Breach Breach

Breach

Monitoring Not traditional

1000s of Incident
hundreds of orgs MSSP:
Investigations
24/7 Expertise & Tech

Investigation & Response

15
 8/21/2018

So How Do Attackers Succeed?

Vulnerabilitie Misconfigurations Credentials

s
Undocumented Exploit Lack of Abuse Trust
Functionality Least Privilege (People & Network)
(MikroTik, VPNFilter,
WebLogic)

Both Blue & Red @Rapid7

1. Under the Hoodie:
Analysis of 268 of our Pen Tests
2. Multiple industries & org sizes
3. What can we learn?

16
 8/21/2018

Rapid7 Under the Hoodie Research

2018 Edition: 268 Pen Tests

67%

Pen Testers 82% of 61% evaded

gained full admin engagements: 1 detection!
control week or less

How can teams improve?

17
 8/21/2018

Disparate Data Sources for Visibility

Vulnerabilities Misconfigurations Credentials

User Behavior
IaaS Servers User Behavior Applications

Directory
Services
Web Apps Endpoints Files & Network Cloud Services Endpoints
Shares

Unify Detect Respond

User Behavior
IaaS Servers User Behavior Applications

Directory
Services
Web Apps Endpoints Files & Network Cloud Services Endpoints
Shares

18
 8/21/2018

ATT&CK Focused SIEM

Unify Detect Automate

Solution Architecture
Remote
Endpoints
Microsoft AD
Infrastructure

Existing Security
Solution Events Security Team
and Alerts SSL

InsightIDR SSL
Network Log On-Premise SSL
Attacker Analytics
Events Insight Platform
Collectors
• User Behavior • Machine • Log Search &
Deception Analytics Learning Visualization
Technology

Real-Time Enterprise
Endpoint Events Cloud Apps

19
 8/21/2018

Demo
Insight Platform

20
 8/21/2018

• User & Attacker Behavior

Analytics

• Included EDR Agent &

Deception Tech

• Try our free trial!

21