OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
0 likes•170 views
This document discusses how crypto-mining malware has become a popular payload for remote code execution (RCE) attacks. It describes how RCE vulnerabilities allow attackers to install crypto-mining software that uses the victim's computing resources to generate cryptocurrency profits without their consent. Specifically, it outlines the evolution of a crypto-mining malware called CryptoM that uses evasion techniques to infect systems and spread. The document warns that nearly 90% of RCE attacks now contain crypto-mining malware payloads and provides recommendations on how to mitigate these threats through monitoring, securing systems, and patching vulnerabilities.
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
- 1. © 2018 Imperva, Inc. All rights reserved. How to Protect Your Web Applications from Crypto-mining: The New Force Behind Remote Code Execution Attacks Amir Shladovsky – Threat Research Tech Lead, Imperva W a r s a w , 1 0 . 1 0 . 2 0 1 8 OWASP Poland Day 2018
- 2. © 2018 Imperva, Inc. All rights reserved. Evolution of Web Attacks – Economical Aspects 3 Attack Data theft Network theft Data corruption CPU theft Example SQL injection DDoS botnet Ransomware Crypto-mining Sale strategy 3rd party sale 3rd party sale Direct sale No sale
- 3. © 2018 Imperva, Inc. All rights reserved. Agenda • Remote Code Execution (RCE) vulnerabilities • Payloads and trends • A crypto mining malware (CryptoM 1.0/ 2.0) – The money trail – Crypto currencies • Mitigation • Key takeaways 4
- 4. © 2018 Imperva, Inc. All rights reserved. Remote Code Execution (RCE) Vulnerabilities 5 • Definition • Conditions – Untrusted data + insufficient input validation • Example 1 • Recent development – Serialization/ deserialization • Example 2 Object in memory Object serialized Object in transit Object de- serialized Object in memory
- 5. © 2018 Imperva, Inc. All rights reserved. RCE Vulnerability Statistics 7 Taken from:vulndb.cyberriskanalytics.com RCE
- 6. © 2018 Imperva, Inc. All rights reserved. RCE Attacks – External Resources in Payloads • Reconnaissance • Botnet (DDoS, Other) • Crypto mining malware • Other 8
- 7. © 2018 Imperva, Inc. All rights reserved. A Shift in Payload Trends 9 12% 88% DDoS Bot Crypto-mining Malware 45% 55% 2017 2018
- 8. © 2018 Imperva, Inc. All rights reserved. A Crypto Mining Malware 1.0 • RCE vulnerability as an entry point • Evasion techniques • Main characteristics: – Kills competing processes – Gains persistency – Downloads and runs the malware 10 Exploit RCE vulnerability Run downloader code Infect with Crypto mining malware 1 2 3
- 9. © 2018 Imperva, Inc. All rights reserved. logo6.jpg – Stage 1 11 Eliminate rivalries Eliminate security controls
- 10. © 2018 Imperva, Inc. All rights reserved. logo6.jpg – Stages 2 & 3 12 Gains persistency Obtains dynamic configuration Obtains Miner Runs the Miner Calculates number of cores
- 11. © 2018 Imperva, Inc. All rights reserved. Config_1.json 13 Impact: denial of service Mining pool and wallet Mining algorithm
- 12. © 2018 Imperva, Inc. All rights reserved. Crypto Mining Malware 2.0 / RedisWannaMine • Spreads, internally and externally, in a worm like behavior – Using exposed Redis server to replicate itself. – Using Eternal Blue exploit to propagate over windows platform 14
- 13. © 2018 Imperva, Inc. All rights reserved. What is Redis? • In memory Database (RAM) • Widely used • Technical information: – Port 6379 (over 200K IP publicly open with this port) – No authentication by default (up till version 3.2) 15 www.shodan.io
- 14. © 2018 Imperva, Inc. All rights reserved. EternalBlue • Exploit developed by NSA • Leaked by Shadow Broker hacker group • Exploit a vulnerability in Microsoft implementation of SMB protocol to spread out • Famous by WannaCry ransomware that used EternalBlue to propogate 16
- 15. © 2018 Imperva, Inc. All rights reserved. Redis infection process 17 Download and compile masscan Find open Redis servers using masscan
- 16. © 2018 Imperva, Inc. All rights reserved. Crypto Mining Malware 2.0 Infection Chain Exploit CVE-2017-9805 to run a shell command Drop RedisWannaMine Run a crypto miner Scan vulnerable Redis servers Use Redis vulnerability to drop a crypto miner Scan vulnerable Windows SMB servers Use EternalBlue to drop a crypto miner 18
- 17. © 2018 Imperva, Inc. All rights reserved. Going the Extra Mile - Browsers Infection • Using an open source JavaScript webminer • The attacker initially tries to alter the commonly used index.php file and add to it the malicious JavaScript me0w.js 19
- 18. © 2018 Imperva, Inc. All rights reserved. Going the Extra Mile - Browsers Infection • It also scan for all JavaScript files on the server and, once found, inject the same malicious me0w.js file 20
- 19. © 2018 Imperva, Inc. All rights reserved. Crypto Mining Malware Infection Chain 21 Infection of a single victim Crypto Mining Malware 1.0 Infection of the web application visitors Infection of many victims Spread in a worm like behavior
- 20. © 2018 Imperva, Inc. All rights reserved. The Money Trail • Mining pools - Share resources, split the reward 22
- 21. © 2018 Imperva, Inc. All rights reserved. The Money Trail – other currencies 23 Karbowanec (Karbo) Electroneum
- 22. © 2018 Imperva, Inc. All rights reserved. Why not Bitcoin? • Specific hardware • Anonymity 24
- 23. © 2018 Imperva, Inc. All rights reserved. Mitigation • Monitoring • Secure your code • Patch • Virtual patch 25
- 24. © 2018 Imperva, Inc. All rights reserved. Key Takeaways • Protect your assets • RCE vulnerabilities are a serious security risk that can be the entry point to your network • Almost 90% of downloader RCE attacks contain a crypto-mining malware • Attackers are after your server resources 26
- 25. © 2018 Imperva, Inc. All rights reserved. Any questions? Amir Shladovsky [email protected] @AmirShladovsky