Cryptojacking infections are coming from inside your home
Cryptojacking has become a growing concern. Cybercriminals aren’t satisfied with the available supply of vulnerable servers and PCs to hijack in order to mine their favorite cryptocurrency. So, they have added another rich source of computational horsepower to their arsenal: IoT devices. Media devices are especially attractive targets due to their use of powerful GPUs combined with lax home security. And because they tend to always be powered on, there is a lot of downtime that can be exploited without detection.
The real challenge, however, is the risk that these compromised devices pose to business. Protecting today’s threat landscape has been complicated by the anywhere, anytime nature of work. Employees working remotely or on the go introduce additional threats to the network because their work devices often run on the same networks as their compromised IoT devices, with many of the apps running on their home entertainment systems linked to the same apps on their laptops, tablets and smartphones.
Data from the latest “Fortinet Global Threat Landscape Report” reveals that 23.3% of surveyed organizations saw cryptojacking malware like ZeroAccess (one of the top botnets for Q2 2018) in their networks. Many of these botnets spread to business networks via devices that were often originally infected in a compromised home network. This growing trend has serious implications for security strategies. To combat this latest attack vector, organizations need to quickly and effectively extend corporate security to employee devices when they are not in the office.
The Mirai botnet lives on
The Mirai botnet warrants mention because it continued to have an impact on the threat landscape in Q2, nearly two years after its first appearance. The Mirai code was made publicly available shortly after its premiere, and some of Mirai’s variants include significant modifications, such as the ability to turn infected devices into swarms of malware proxies and cryptominers. New variants have also added multiple exploits to their arsenals, allowing them to automatically identify and target a wide range of unpatched IoT devices without needing to communicate back to a C2 controller for an update. The Wicked bot, for example, is loaded with a variety of known and available exploits, many of them already being quite old. In spite of this, these exploits remain effective due to poor patch-and-replace security hygiene practices at many organizations and the unpatchable nature of many IoT devices.
Hide ‘N Seek (HNS) is another, and it might be the first in-the-wild malware to actively target vulnerabilities in home automation systems. HNS is an IoT botnet that communicates in a complex and decentralized manner, using custom-built peer-to-peer communication to implement a variety of malicious routines. While it initially just targeted routers, IP cameras and DVRs, the latest iteration of HNS now also targets cross-platform database systems and smart home devices.
HNS managed to evolve to this point due to the availability of the open source Mirai code to malware developers. While HNS was built using code from Mirai, it has been aggressively adding exploits and targeting more platforms and devices to increase its propagation scope. Adding freshly released proof-of-concept exploits to its arsenal increases the chance that it will also be the first to infect these vulnerable devices.
Segmenting for security
One of the reasons that attackers are targeting home-based media devices with cryptomining malware is because many of them use powerful GPUs to decode and transcode content in high-resolution formats. These IoT devices are also not only always on and connected, but spend most of their time idle, making them an ideal target for continuously mining crypto malware. Making matters worse, the interface for many of these devices can also act as a modified web browser, with all of their inherent vulnerabilities, such as granular remote control and communications and the ability to spread more effectively using things like P2P connections with other devices.
Because of this growing risk from home workers, as well as those employees who increasingly bundle their work and personal apps and data onto their devices, segmentation is increasingly important for devices that connect to both home and enterprise networks. One way that security teams can extend protections out to these endpoint devices is by ensuring that home networks are segmented from machines that connect back to the office through a VPN.
When countermeasures fail in one part of the network, segmentation protects other areas from being compromised. Segmenting the network and devices should address risk management functionalities such as:
- Identifying risk: Users, data, devices, locations and threat intelligence feeds, along with a host of other criteria, need to be used to identify threat categories and assess risk in real time.
- Managing policies and devices: Seeing all devices and their related activity, including IoT devices, allows IT teams to appropriately set policies to manage risk across the network.
- Exerting control: Organizations can better control risks from a policy standpoint by treating those parts of the network that interact with IoT devices differently.
- Managing access: One of the most critical risk management tools provided by segmentation is the ability to impose strict access controls based on user, role, device type or even applications. As devices either initiate a new network connection or as traffic or applications attempt to cross network segments, access control combined with inspection helps establish secure perimeters around critical resources by identifying and preventing the spread of malware such as cryptojacking.
Defeating cryptojacking
While IoT offers limitless potential for transforming all aspects of daily life through connected intelligence and services, these benefits don’t come without inherent dangers. IoT has radically expanded the potential network attack surface of many organizations, and cybercriminals have begun to capitalize on this by creating increasingly sophisticated exploits that target and take over IoT devices. As a result, cryptojacking is now a common form of infection, often spread by employees working from a home network that includes compromised IoT devices. Securing the network against these threats involves user awareness training on potential threats, providing effective endpoint security, inspecting VPN-based traffic and segmentation so that IoT invaders can’t access the entire network.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.