Infosecurity Europe: Cryptojacking is Making a Comeback

At Infosecurity Europe, a security expert from Guardicore discusses a new cryptomining malware campaign called Nanshou and why the cryptojacking threat is set to get worse.

LONDON, UK – With cryptocurrency prices skyrocketing, the threat of cryptomining malware, used to mine various types of cryptocurrencies, is continuing to worry the security industry.

Case in point: Recently researchers uncovered the Nansh0u campaign, a cryptojacking campaign that mines an open-source cryptocurrency called TurtleCoin. Up to 50,000 servers were infected over the past four months as part of a high-profile cryptojacking campaign, believed to orchestrated by Chinese-language adversaries.

Researchers with Guardicore Labs, who disclosed the campaign last week, said that the Nansh0u​ campaign (named due to a text file string in the attacker’s servers) is “not another run-of-the-mill mining attack.”

At Infosecurity Europe, which kicked off Tuesday in London, Dave Klein, senior director of engineering and architecture at Guardicore, gives Threatpost a behind-the-scenes look at this latest cryptojacking campaign – and discusses why cryptominers are worryingly becoming a bigger threat.

Below is a lightly-edited transcription of the podcast.

Lindsey O’Donnell: This is Lindsey O’Donnell with Threatpost and I’m here today with Dave Klein, the senior director of engineering and architecture at Guardicore. Dave, how’s it going?

Dave Klein: Doing well, how are you?

LO: I’m good. Good to hear. So we’re just approaching Infosecurity Europe in London, and Dave, I know Guardicore will be there. Is this your first time at the show?

DK: This is kind of funny but I went there in 2000, so this was the first time since 2000. So it’s been 19 years in the making for my return.

LO: It should be very interesting to see what’s different between then and now.

DK: Indeed.

LO: Well, I want to get into some of the trends that you’re looking forward to seeing at the show. But first, I know that Guardicore recently came out with some new threat research that was dropped before the show regarding a widespread campaign that has hit at least 50,000 servers in the past four months, can you kind of break that research down for us and, you know, outline some of the biggest takeaways there?

DK: Excellent, can definitely do that. So part of our Guardicore Labs expertise is, this crew has done a great job at maintaining a global intelligence network of sensors. And we specialize in lateral movement. So looking within data centers, and clouds, and stuff like that, a lot of times we find things that are never seen. And we call them north-south traffic, and which is quite, quite interesting. So we’ve had many findings over the years of different attacks and things. And this one is exceptionally interesting, you know, 50,000 servers breached. At first, it looked like a standard technique of going after low-hanging fruits, basically, weak passwords, lack of two factor authentication, account control, looking for Windows MS-SQL and PHPMyAdmin servers vulnerabilities to knock over 50,000 servers. But then looking at it more closely. What was fascinating was some of the techniques seemed, I don’t want to say novice, but almost novice, there seemed to be kind of regiment of compiling things and pushing them out, as if they were testing various things, or learning perhaps. So we’re not sure if this was a training run, it’d be one heck of a training run at 50,000, right? Or if this was a criminal hacker who was trying to better their skill set. But what we do know – that makes it fascinating is – where the initial techniques were kind of commonplace, once they were in, they were using some pretty sophisticated tool kits, one of which actually has a Chinese APT origin, that was an escalation kit, and they even had a signed driver, which isn’t cheap. So the fact the combination of the signed driver, and this Chinese APT toolkit, made it quite fascinating to look at.

LO:Right, yeah, I know that kind of the installation of that sophisticated kernel mode rootkit really stuck out about this campaign, what were some of the, the more novice moves that you were seeing, though, that kind of contrasted these more sophisticated aspects of this campaign?

DK: So what was funny is the lab professionals that were looking at this said they’re using standard Chinese programming languages, and they’re working on Chinese hours. And then most importantly, the kind of re-compile and effort that they were doing often look like they were either fixing mistakes, or learning new techniques for the fact of learning techniques, so it wasn’t simply going out there taking over command and control 50,000 machines and using it for cryptocurrency, there seemed to be almost like an exercise in place of them changing things repeatedly. And some of the changes appear to be very novice-like, among the lab professionals, of course, the humor is as the network grew to 50,000 servers, we kind of tipped our hat a little bit going, ‘Oh, well, played.’ So it was a little less novice than we thought initially.

LO: Also, the I know, you guys mentioned there were 20 different payload versions, at least that were used. I mean, does that kind of speak to this almost testing of different methods on the attackers’ end? Or what were you guys seeing with that?

DK: It was a combination. Part of it was fixing problems. And part of it was making sure their miner got promulgated? Well, they were looking, they were going after TurtleCoins, which is a kind of cryptocurrency and they wanted to diversify the exchanges and the infrastructure. So in essence, some of it was due to mistakes. And some of it was due to try to diversify the pool of Turtle[Coin] miners.

LO: Yeah, you know, I’ve never actually heard of TurtleCoin. So it was interesting to read about within the research: what kind of cryptocurrency is this, I saw it was open source and private, you guys seen this being targeted by other campaigns?

DK: Well, the number one use case you see is Monero, and usually Monero is used, because basically, you don’t keep a journal of transactions. So it’s often used for criminal purposes. TurtleCoin is a rather new coin. And its choice is interesting too – they didn’t make that much money, by the way. So where it’s a known fact that Monero used for money laundering things like that Turtle, not so much. But still, it’s an unusual coin choice.

LO: Are you guys able to get a sense of how much they were able to make? Or was it? Because I think I remember someone saying that it’s it’s hard to understand kind of the profit here because it is a private type of cryptocurrency.

DK: The overall analysis was they didn’t make that much money. But as far as the actual amount, we’re not sure.

LO: Another interesting aspect of the research, as you mentioned before, was the kernel mode driver with a legitimate certificate authority, digital signature. I know you guys had reached out to Verisign regarding this. And so the certificate was revoked. Is that something that you see becoming kind of more prominent in different types of campaigns is using these types of digital signatures?

DK: So at this point, it’s still about the best practice of state run players. So that’s one of the things that raised our eyebrows about it. Yes, we approached Verisign. We had the certificate revoked, it was for a fictitious company called Hangzhou Hootian Network Technology.

Verisign validated that it was purchased that was been used for criminal purposes, and revoked it. We also went to the service provider of the hosting servers, and they also were shut down as well. But using a signed driver is quite sophisticated. And that begs the question is you haven’t an APT rootkit, sorry, APT escalation kit and signed driver – it either means the criminals are getting smarter, or getting access to more APT tools in the wild. Right. So advanced weaponry, or we’re looking at a training run where an APT is training someone. We didn’t have enough information to say it actually was a training run.

LO: And then also, you guys had mentioned that the attackers behind this campaign were possibly linked to China, or they were Chinese because of different you know, I think I think you guys mentioned that they were writing their tools with Chinese based programming language and, and some other clues.

DK: Yeah, absolutely. They’re using Chinese based language. The origin seems to become from China … as well as cute things. Like the name Nansh0u which was what we’re calling it. They had Nansh0u in their code mentioned many times, which means “suffer” in Chinese. And the toolkit that they use from an APT to escalate, took advantage. It was an exploit, but a CVE-2014- 4113, but it was discovered to be done by Hurricane Panda. And this was an APT that had had that toolkit. And again, it’s either a case where they were able to get ahold of it, and utilize it, or basically were given it. We’ll be curious to find out about that.

LO: And then also, one other question, do you guys have any indication of the timeline of this campaign? And whether it’s still ongoing or at this point? Has it been shut down? Or what’s new there?

DK: Well, between revoking their certificate, and going to the service provider and having their server shut down, they’re out of business for now, of course, as you know, most the criminal attackers and APTs have no problem dusting themselves off and creating new networks. But for as far as we know, this is being shut down. In the article, we have all the indicators of compromise, and all the things that you can you could utilize to the technology that’s there, as well as on GitHub, we have a tool kit help people see to find that they are in fact affected by this attack.

LO: Great, well, I wanted to take a step back and talk about cryptojacking and kind of crypto miners in general. And especially because that’s going to be a big theme at Infosecurity Europe this week, I saw that there are a couple of sessions that were talking about this shifting threat landscape and how it’s kind of playing out. So how would you say that this campaign compares to other kind of high profile crypto currency malware type campaigns that you’ve seen, because it seems to me that, like you said, this is not just about targeting TurleCoin cryptocurrency because of the small amount of profit there. But then there were also some other parts of this campaign that were beyond that as well.

DK: I think, in general, we’ve seen a lot of cryptocurrency, or cryptojacking occurring, because it’s a great way to further monetize an attack. If I take over an infrastructure to utilize, the first thing I do is use the dark net to advertise, ‘Hey, I got some real estate, computing power for you to make money that way.; You know, DDoS for hire or glean information for cost. But then what’s beautiful is you can also use that that captured infrastructure to also mine currency. And the real big threat effect of that is the amount of processing power, whether you’re paying for the hour, or it’s your hardware – the amount of wear and tear that occurs, additional wear and tear and resources. So it’s more than just you’ve been hijacked to make money, you’re causing wear and tear on your gear, or additional processing power means additional costs that way, in this situation here, them not being very successful at the crypto jacking, it begs the question of whether this is a novice who just didn’t know how to do it or pick the wrong currency? Or whether they don’t, you know, the money making wasn’t the biggest thing. Right? That’s a very good question is, why did why weren’t they successful doing that if that’s the number one thing they want to do. We didn’t see this person doing a lot of monetization, or even, you know, advertising. So what’s interesting is that we haven’t totally seen a monetary capitalization in this attack, which again, begs the question, was it a training run? Or someone new with great weapons?

LO: I know, too, that you know, this is somewhat different from TurtleCoin, but I know that with Bitcoin prices surging, that the idea of cryptojacking and other types of threats and scams around cryptocurrency have been increasing just in general, do you think that that might impact the threat landscape in 2019 overall, as well?

DK: I think it does. And I think for two for two reasons. And I’m going to start with the more unusual one. The demand for cryptocurrency. So many parts of the world, we have what we call envelope economies. So for example, let’s say Lindsey, God forbid, Lindsey, by the way, your grandfather passed away or grandmother passed away and left you some money. Right, right, left you a good portion of money. And you went into the bank to put it in, you might be met by a bank manager in certain corrupt countries going, Lindsey, I’m so sorry for your loss. I’ll take 15 percent of that. Right. There’s a lot of bribery. So you’re seeing people in a lot of countries, including China, who use cryptocurrency as a safe way, and I kind of chuckle to say that, but it’s a safer way than walking into a bank with your money, and the perceptions around that. So I think that that one way cryptocurrency is becoming an equalizer, a way for people to say store money in their perception –  not my perception, but then their perception, the safer fashion – so they go into a bank, and having to do the payoffs and things like that. So that’s one reason why the rise is occurring in such a great fashion. Number two is, I think, in all the research I’ve done the things I’ve seen the last four years, every year, there’s been an increase in this it’s become part of best practices of attackers to optimize profits. So I absolutely think it’s good to need to be a grave and continued threat in 2019.

LO: Beyond cryptojacking, is there any other big trends or topics that you’re excited to hear more about at Infosecurity Europe this year, especially the with the knowledge in your back pocket that 2000, that was the last time you went so how things have kind of changed since then?

DK: 19 years, I think a lot. That’s why I love this industry, by the way, it was it was totally different back then. But you know what, some of the fundamental things don’t change, and some other things change and the most wonderful, brilliant way, which is why I love this career, I’m blessed, I really am blessed. I think the biggest maturation that I’ve seen in the last year is and talking to those and other people is the realization if you get rid of the low hanging fruit, if you get rid of the things like weak passwords, by implementing a password discipline, software package, identity management, simply applying two factor authentication, right? doing basic hygiene like account control, right? So if someone comes in and has a high level account only needs a few days, and we treat the time limit on that. And then patching, kernels, applications, operating systems, these are basic fundamental things that are critical to build in the processes of DevOps, because today, everything moves quickly and rapidly. And there’s a lot of things that are there to help provision things quicker, and manage them quicker across an entire landscape. But I think as part of that needs, they also look at applying, you know, some of the basics again, you know, strong passwords, two factor authentication, account control, patching, also, incident response plans, I think those are huge. And those incident response plans have to include things, people other than just IT staff. You need to include your lawyers, need to include your business managers into these practices and into the plants themselves so that they are not surprised and that they know what to do when these things occur.

And then finally, the biggest thing is Software Defined segmentation. Because things move so quickly, and we’re in environments today that includes everything from your legacy, HP-UX machine…that was purchased when I had hair, which is a long time ago, by the way … But you had these legacy operating systems that are Unix, you have you have older Windows, like 2003, 2000, you have embedded Windows operating systems, you have older Linux operating systems, as well as all the newer ones. You have hypervisors, clouds, containers, you have to seamlessly be able to apply segmentation in a dynamic, easy fashion. And so things like VLAN, ACL, and especially firewalls are not in the right positions to be part of that system. So software defined segmentation is the idea of being able to dynamically roll out across your entire infrastructure, no matter what the underlying operating systems and platforms are, in an  environments, and just manage it seamlessly from a single pane of glass. I think that’s the final thing. Those are those are the kind of things I hope to see at Infosec. Because those are the things that people really need to address.

LO: Yeah, those are really good points. Well, I am very excited to kind of see, you know, what new conversations and news comes out of the show this week regarding those points, and then some other aspects of security. So, Dave, thanks again for joining us on the podcast today.

DK: Thank you, Lindsey. I had a great time. Thank you so much.

LO: And once again, this is Lindsey O’Donnell with Threatpost here today with Dave Klein from Guardicore.

Suggested articles