In a March 13, 2018 blog post by Imperva’s Elad Erez and Luda Lazar, they revealed an ongoing attack which uses a picture of Scarlett Johansson to compromise PostgreSQL servers. It creates different payloads, implements evasion techniques, installs and ultimately, uses the server’s resources to mine Monero Cryptocurrency.
Ransomware Vs. Cryptominers
The report gets technical as good analysts usually do but as far as cyber security strategy goes, these are a few pointers we should take away:
Ransomware calls for an ultimate standoff between attacker and victim, forcing the latter to pay up or potentially lose their data. This standoff obviously causes mayhem at the victim company and focuses heat and law-enforcement on the attacker which is a growing risk for ransomware attackers. Cryptominers on the other hand can theoretically operate endlessly, using the compromised endpoint’s CPU and graphic card to mine cryptocurrency without the victim’s knowledge. Who measures CPU performance, right?
Cryptominers are yet another instance of the same ole’ routine:
· Compromise a system
· Execute malicious code on the system
· Profit
· Repeat
Your can fight Cryptominers
The issue is more than just sharing your computer resources with an attacker. Having malware run on your system means the attacker can decide that mining cryptocurrency isn’t enough anymore and then use other methods such as information exfiltration, use of system and network resources, holding the company for ransom etc. Since traditional AV technology was ineffective in stopping or even detecting this attack, different measures are needed to tackle this line of attacks. As the research found, the attack contains a few stages. The ability to stop the attack at the stages of compromise or execution will determine whether the network stays safe or not. Here are a few technologies that can thwart this kind of attack and many others:
1. CDR (Content Disarm & Reconstruction): This technology disarms the file by converting and reconstructing it so that any "additional content" is left behind regardless whether the malware attached is known or not. Having a CDR gateway can eliminate the threat of a hidden binary in Johansson's picture. Some notable technologies: Sasa Software, Yazamtech
2. Deception: This technology deceives malware into believing it's being monitored. Malware using evasion techniques look for monitoring indicators and once found – cease malicious activities to avoid being detected. Imperva's researchers found that the malware uses evasion techniques to determine whether it's being monitored - effecting its decision to deploy or not to deploy. Presenting a monitoring environment will keep the malware from deploying and compromising the server while alerting security personnel to the event with specific data on the malicious file. Notable tech: Minerva
3. Honeypots: Creating mock servers and endpoint on the network creates "pot holes" only malicious actors will step in; alerting security personnel to the nature of the attack and give them initial indicators for effective response.
4. Heuristic-based solutions: This technology lists malicious activities rather than file signatures. If a file executes malicious actions over a certain threshold, the security team is alerted and optionally – the file blocked, quarantined or any other preventative counter-measures. Notable Tech: Cynet
5. Employee Education: educating employees in the dangers of email messages, links, malicious websites and files can dramatically lower the risk of downloading the file to your network in the first place. Notable tech: Dcoya
Final note: Don't put off dealing with the inevitable. Preventing an attack is always cheaper, less messy and we all get to keep our jobs at the end of the day...