An oil transportation company discovered someone had installed Monero-mining software on its systems without its authorization.
On 14 December, Vladimir Rushailo, vice president of the Russian state-owned transport monopoly Transneft, revealed that the company had found that one of its computers had automatically downloaded software designed to mine the Bitcoin rival. As quoted in a statement provided to Reuters:
Incidents where the company’s hardware was used to manufacture cryptocurrency have been found. It could have a negative impact on the productivity of our processing capacity.
The company subsequently deleted the program from the computer. It also implemented “programs to block such downloads in the future.”
Transneft has not provided any details about what caused the computer to download the cryptocurrency miner, including whether a malicious insider or external actor might have hacked the workstation. What is clear, however, is that these types of attacks are growing in frequency. Pavel Lutsik, a head of information security projects with Croc IT firm, agrees:
More and more people have learn[ed] that, in fact, they do not even need to stand up from the sofa to make money – if they are not caught.
In recent months, several organizations including Ultimate Fighting Championship and Showtime have removed CoinHive and other Monero miners that slowed down visitors’ computers from their websites. Attackers have also gone after companies’ internal networks directly in order to mine cryptocurrencies. F5 threat researchers detected one such campaign dubbed “Zealot” that leverages the Apache Struts Jakarta Multipart Parser attack as well as a flaw affecting the DotNetNuke (DNN) content management system to compromise vulnerable systems. It then leverages EternalSynergy and EternalBlue, the same Microsoft vulnerability exploited by WannaCry and NotPetya, to move laterally inside the network, find Windows and Linux computers, and seize them for mining Monero.
Attackers victimized 1.65 million users with cryptocurrency miners in the first eight months of 2017. No doubt this number will increase to account for the rest of the year.
As reported by RT, Russia intends to create legislation that governs cryptocurrency mining and other related matters by July 2018. This move will no doubt help the state crack down on cryptocurrency mining attacks, especially those involving Russian corporate servers.
At the same time, organizations can take steps to protect themselves against cryptocurrency miners by making sure their computers are up-to-date. To do so, they should build a patch management program that, among other things, gives them complete visibility over all their assets and prioritizes known vulnerabilities based on their business requirements. For information on how Tripwire can help your organization build such a program, click here.