What is interesting about coin mining, or cryptocurrency mining, is that it is not necessarily an illegal activity. It is sometimes difficult to differentiate between the legal and illegal activity. Where that activity is illicit, it is often designed to be a silent threat to enterprise resources often consuming all available computing cycles on end point computers and servers. Coin miners are using those computing cycles to attempt to break the keys protecting cryptocurrency.
Coin mining was observed as one of the most prevalent threats this year. At times, this activity accounted for more detections than all other malware combined. Attackers have built coin mining capabilities into their attack toolkits. Once they gain access to a computer, they can then use various attack techniques to spread laterally through the corporate network, placing mining software on other servers and computers. Each compromised device adds to the capability of the attacker to decrypt the keys protecting the cryptocurrency.
In our Global Threat Intelligence Report, technology and education sectors were the largest targeted sectors identified (46% and 40% of observations respectively). Both sectors are large repositories of computing equipment which is needed to create an effective coin mining operation. The largest percentage of the activity that we observed was hosted-based (75%), thus the coin miners needed large numbers of hosts to perform their activities.
The report proposes several strategies for defending against coin mining activity including the use of least privilege for user, developer and application accounts, implementing ingress and egress controls on the firewalls, and limiting the web capabilities of coin mining by using browser plugins designed to help limit the functionality of browser-based cryptomining. Additional controls would include denying the Stratum protocol which is used by coin mining software and segmenting the network to make lateral movement through the network more difficult.
While coin mining was a significant threat identified this year, another threat that faced many companies was web-application and application-specific attacks. The motivation behind each of these attacks was to provide the attackers with either access to the network, data or an application, to influence a company to make a specific decision, or for profit. Many of the practices that discussed in my previous blog post may help in preventing access. The motives of influence and profit add an important dimension to the security strategy of a company.
Our report shows that the motivation of attackers attempting to influence a company may be to support a specific agenda based on hactivism, blackmail, extortion, or reputation damage. Likewise, with for the profit motive, the attacker needs to compromise systems that are vulnerable to attack.
We provide some additional insights into the types of practices that will help a company ward off these attacks. These include patching, network segmentation, secure coding, and application gateway firewalls. Of these, patching is a critical activity. Companies can scan for vulnerabilities but, if these are not caught and patched on a timely basis, a company is potentially exposed to compromise.
Another threat that we identify in the Global Threat Intelligence Report is credential theft. Each year, credential thieves become better at stealing credentials. Techniques in spamming, phishing, social engineering, and compromises of credential repositories become more effective. These credentials may be used for gaining access to various parts of your network or may simply be sold on the dark web for others to use as needed.
Preventing credential theft can be very difficult. Phishing and social engineering continue to evolve in the sophistication of their practices. Training employees to spot phishing and social engineering attacks provides some protection, but seldom can a company totally prevent these threats by training alone. At any given point in time, there will be someone in the company that will fall victim to one of these attacks. This provides the attacker with a platform within the company walls to further expand the attack.
The report highlights that the retail, telecommunications, and healthcare sectors were the highest targeted sectors in 2018 for credential theft, followed by technology and manufacturing. However, no industry was immune to the threat.
All the eighteen sectors that we use to classify enterprises were impacted by the threats that we identified in 2018. The top five targeted sectors globally were finance (17% of attacks), technology (17%), business and professional services (12%), education (11%), and government (9%). Each sector has large IT infrastructures with critical assets that could be of value to an attacker. Additionally, each uses the internet as a component of their infrastructure. Some use the internet to conduct business, some to educate their customers or students, and some to implement their internal infrastructure.
The protection of the enterprise is dependent on the proper implementation of the security basics as well as adapting to the threats that potentially face them. That strategy must evolve as the threats evolve for a company to successfully protect itself against the threats that face them.
For more information on our global and regional findings, and other security challenges, please download the report from http://www.nttsecurity.com/2019gtir