When an enterprise begins actively monitoring its network to establish its security posture, an often-overlooked component of an enterprise’s security posture is vulnerability management. The core of that component is vulnerability scanning and subsequent remediation through patch management. Vulnerability scanning is an important part of a well-established vulnerability management program for a multitude of reasons, but the 2 main reasons are:
Scanning allows you to identify threats and weaknesses within all the devices within your network to include: routers, switches, endpoints, printers, servers and web applications. Detecting vulnerabilities and taking corrective action is important to your overall security posture and essential in protecting valued data assets from internal and external threats. An enterprise must remember, however, that maintaining an effective vulnerability management program is an ongoing process. When it comes to vulnerabilities, malicious actors benefit from automation, crowdsourcing, big data, mobile, low cost cloud computing, and other resources as much as an enterprise’s security team does. Only the bad guys have the advantage; malicious actors need to find just one unpatched vulnerability, whereas a security team must find and patch all vulnerabilities. Though a host may be safe today after a spotless vulnerability scan, a malicious actor could discover a serious vulnerability tomorrow. The result can become a game of Whack-A-Mole — an endless cycle of identifying vulnerabilities and then racing against the clock to patch them before malicious actors develop exploits for them. Therefore, an enterprise should strive towards continuous vulnerability scans to discover those constant incremental changes. An enterprise might not have the scanning infrastructure or human capital needed to conduct and analyze continuous scans of its network environment, so it may need to explore outsourcing solutions that can do this cost efficiently. Continuous vulnerability scans not only help organizations determine whether they are fixing the flaws they discover, they also help companies identify trends in the performance of the vulnerability management program, information which security managers and other executives can use to justify current and future budget allocation.
What is a vulnerability scan?
A vulnerability scan is often confused with a penetration test and the two mistakenly often used interchangeably, but they are quite different tests and processes within your vulnerability management program.
A vulnerability scan is performed by using commercial software package to scan an IP address or range of IP addresses for known vulnerabilities. A scan typically consists of four stages:
It’s important to keep in mind that a vulnerability scan is dependent on a database of known vulnerabilities to test; similarly, anti-virus software operate with the same dependency. Obviously, there are vulnerabilities that are unknown to the public at large called 0-day vulnerabilities and these scanners will not detect and offer remediation.
There are different types of vulnerability scans and each operates with a different level of thoroughness and activity. A simple vulnerability scan checks the Windows Registry and software version information to determine whether the latest patches and updates have been applied. More comprehensive and thorough vulnerability scan, such as the kind that HLC performs, involves the aforementioned simple scan and additional functionality to execute malicious code to determine whether a vulnerability is exploitable.
Vulnerability Prioritization and Patch Management
The aforementioned scan results in a report that lists out discovered vulnerabilities, their severity, and remediation steps. After vulnerabilities are identified, they need to be evaluated so the risks posed by them are dealt with appropriately and in accordance with an enterprise’s vulnerability management strategy. A vulnerability scan will provide different risk ratings and scores for vulnerabilities, such as Common Vulnerability Scoring System (CVSS) scores. These scores are helpful for enterprise to which vulnerabilities it should focus on first, but the true risk posed by vulnerabilities should consider these factors:
● Is this vulnerability a true or false positive?
● Could a malicious actor directly exploit this vulnerability from the Internet?
● How difficult is it to exploit this vulnerability?
● Is there known, published exploit code for this vulnerability?
● What would be the impact to the business if this vulnerability were exploited?
● Are there any other security controls in place that reduce the likelihood and/or impact of this vulnerability being exploited?
● How old is the vulnerability/how long has it been on the network?
Patch Management is important for the security of your enterprise and imperative to a successful vulnerability management program. There are times when patches are released just to fix a functionality issue, but often they are released to fix security issues. As soon as a piece of software is released malicious actors attempt to exploit software through vulnerabilities; when successful, there’s a subsequent need for patches and a patch management process. Patches protect your network and data from constantly-evolving malicious actors and they can only do their job if you have a system in place to discover and analyze through a vulnerability scan and manage and apply patches through a patch management process.
Stressing the importance of vulnerability scanning and patch management, malicious actors, who are looking to infiltrate and compromise networks, are using vulnerability scanners to identify weaknesses and find the easiest path to their desired goal. While a vulnerability scan and patch management are not a perfect security solution, they are tools that can help proactively identify issues and resolve them before attackers have a chance to exploit them. Most importantly, a vulnerability scan is important to an effective vulnerability management program and an enterprise’s overall security posture. However, the results of a vulnerability scan are only as valuable as the willingness to accept the results, act and remediate them. Simply identifying vulnerabilities might be enlightening, but in and of itself it does truly little to reduce your risk or improve your security.
Enslaved As Miner Against Your Will? Recent Malware Attacks May Have Your Systems Mining Crypto Without Your Knowledge
In the past few months, HLC has been noting a decided uptick in one type of malware: crypto currency mining. While our solutions have prevented these infections, the malware is often embedded into .png picture files, making it appear all the more innocuous to the user who is inadvertently infected.
Since the introduction of Bitcoin in 2009, the popularity and adoption of cryptocurrencies as an asset class has grown at a rapid pace. Once reserved for black market activity, hobbyists, mathematicians, and computer geeks, cryptocurrency is now becoming a global topic of interest with a market capitalization of ~$400 billion and continuing to rise with Initial Coin Offerings (ICO) to further fund the development of projects related to cryptocurrencies. Unfortunately, the anonymity provided by digital currencies has become quickly abused for illegal extortion, as was the case during the various ransomware outbreaks we’ve witnessed in the last few years. As the value of cryptocurrencies has increased significantly, a new kind of threat has become mainstream and replaced ransomware extortion: cryptocurrency mining malware. Malware creators target outside computing power because the price of a dedicated cryptocurrency mining machine easily exceeds thousands of dollars. The emergence of cryptocurrencies that can be mined by average computers has attracted malware creators and has contributed to the widespread abuse we are witnessing globally.
What Is Crypto Mining and How Do You Get Infected?
Cryptocurrency mining is a record-keeping service that is done using computer processing power. Transactions are recorded in blockchains, which function as a public ledger. The consistency and completeness of the blockchain is maintained in an unalterable state by miners, who repeatedly verify and collect newly broadcast transactions, called blocks. Cryptocurrency mining malware comes in many forms, for many different operating system and application platforms, but the common theme among all of them is threat actors leveraging the computing power of as many compromised devices to maximize cryptocurrency mining profitability. It is critically important for the malware creator that the cryptocurrency mining malware infects as many systems as possible, to control a larger pool of CPU resources for mining. Let’s investigate the numerous common malware delivery methods for cryptocurrency mining.
The Wannacry ransomware, a highly publicized malware, exploits the leaked EternalBlue and DoublePulsar vulnerabilities and was modified to by different malware groups to leverage the same vulnerabilities to infect hundreds of thousands of Windows servers with a cryptocurrency miner, ultimately generating millions of dollars in revenue. Other vulnerabilities, such as a flaw with Oracle’s WebLogic Server (CVE-2017-10271), were also used to deliver miners onto servers at universities and research institutions. Servers are a favorite among malware creators because they offer the highest hash rate to solve the mathematical operations required by cryptomining. Existing malware families like Trickbot, which is distributed via malicious spam attachments, added a cryptocurrency miner module to its payload. Another commonly used malware delivery method is fake software patches for highly publicized vulnerabilities such as Spectre and Meltdown. The favorite malware group is SmokeLoader and cryptocurrency miners have become the most commonly installed malware payloads.
Indicators of Compromise: Identifying Infection
There are 3 common IoC (Indicators of Compromise) on every infected victim’s device.
First, for cryptocurrency mining to occur, the malware runs background processes on the infected host that results in the significant over-usage of its resources, and subsequently its performance slows down significantly. Common symptoms are an overheating system due to constant CPU & GPU over usage, drastic system performance degradation, and hardware malfunction. Open a resource monitor on your computer to check if CPU usage is abnormally high; on a Mac that’s Activity Monitor, and on Windows it’s Task Manager. Additionally, the worst part is that there is no residual file, also known as fileless malware, meaning it is very difficult to detect and impossible for standard signature based anti-malware software. What is fileless malware? Just as the name suggests, fileless malware is a variant of a malicious code which affects your system without leaving an installed file on the victim’ s device. Fileless malware is written directly into the device’s working memory, RAM. You may think a simple reboot will remove the malware, however, the malware code is also injected into commonly running processes such as service.exe, chrome.exe, to sustain life after each reboot.
Second, in order to achieve maximum profitability mining cryptocurrency, malware must connect to a C&C (command & control) server to download the cryptocurrency mining software and execute without leaving a file. Most importantly, the malware must add the compromised host to a mining pool network. This abnormal network traffic is a common identification method to confirm you’re a victim of cryptocurrency mining malware. All mining software must be able to connect to either the cryptocurrency network or a mining pool to exchange data, in other words its proof-of-work. Without this connection, it cannot get the data it needs to generate hashes, rendering it useless. Malware creators will add network rules to block the ports associated with exploited vulnerability to close the proverbial door behind it for other potential attacks. This is done to keep the infected system to itself and close it off to any other malware targeting the same vulnerability. Not only are malware creators mischievous, but apparently greedy.
Third, websites have become the biggest culprits of cryptocurrency mining campaigns, specifically CoinHive and its derivatives. Coinhive is a cryptocurrency mining service that relies on a small chunk of computer code designed to be installed on Web sites. The code utilizes all of the computing power of any browser that visits the site in question, enlisting the machine in a bid to mine cryptocurrency. Coinhive is pitched as a way for website owners to earn an income without running intrusive or annoying advertisements. However, Coinhive’s code has emerged as the top malware threat because the code is installed on victimized websites. If you surf to a particular website without additional browser tabs, no other applications running and notice a huge spike in CPU usage while on that website, then it is likely running a cryptocurrency mining campaign such as CoinHive unbenounced to its visitors. Commonly, cryptocurrency mining malware will automate and force the visitation of these particular websites in foreground and background browser tabs to generate cryptocurrency revenue.
By now, you’ve learned that cryptocurrency mining malware is something you want to avoid. How do you avoid infection? And what should you do upon learning you’re infected?
You didn’t think you would make it through this article without yet another reference to common sense, right? As previously described, the numerous methods for cryptocurrency mining malware center around making careless mistake such as installing trojanized mobile apps via your App Store of choice, Apple App Store or Google Play, opening an attachment with malicious malware, or surfing to a website with malicious code installed. Since no one reading this is going to be happy with the gratuitous common sense takeaway, here some other simple steps to take if you’d like additional protection to ward off pesky cryptocurrency mining malware:
First, avoid mobile apps with low or limited app reviews. Apple has an extensive mobile app review process, but trojanized apps still find a way through the process as we saw with the XcodeGhost malware that was installed in over 4000 mobile apps. Review the mobile app developer’s logo and profile to confirm the legitimate mobile app you’re about to download is not merely a copy of a legitimate app with malware added by a malicious actor. This practice is more prevalent on Google Play because of the open source policy and developer freedom that Android practices, which results is less oversight of mobile app distribution.
Second, install a trusted browser-based extension to detect CoinHive website code. Common Chrome browser extensions to block CoinHive code are Miner Dectector, Coin-Hive Blocker and No Coin. These browser blockers review a website’s code and alert an end user that CoinHive and other common cryptocurrency mining code has been detected/blocked. Similarly, to malware mobile apps, ensure that the browser extension you are installing is indeed not a knock off of a trusted browser extension because there are always malware creators are looking for any method to get you to make that careless mistake.
Third, while your standard anti-virus software is rendered useless against fileless cryptocurrency mining malware, it can protect you against the necessary network traffic to participate in a cryptocurrency mining pool. Large anti-virus software companies have the scalable resources to identify and research cryptocurrency mining campaigns and thusly, are constantly updating their host firewall rules to ensure that network traffic to aforementioned command and control cryptocurrency mining servers is blocked. This feature eliminates the need for users to tediously monitor cryptocurrency mining pools and update their hosts file to redirect network traffic to those C&C servers.
As we’ve discussed, cryptocurrency mining malware has gone mainstream and will only continue to increase in deployment and proliferation thanks in large part to cryptocurrencies’ values and the inability to confidently detect. As we face this increasing threat, we must remain vigilant in proactive steps taken to avoid and remediate cryptocurrency mining malware. Those steps require previously discussed common sense steps combined with relying on a trusted provider like HLC to help you navigate pre and post malware infection troubles. That powerful combination is necessary in the continued escalating battle against cryptocurrency mining malware and other emerging malware types.