Crypto Mining Ransomware is Here

Mark Curphey By Mark Curphey
December 13, 2017

It has been an exciting week. On Monday Jet Anderson and Asankhaya Sharma posted a proof-of-concept piece for a crypto-mining ransomware embedded in a web application. Not a day later we saw it reported that a similar attack was used on a wifi access point at a coffee shop in Australia. The wifi attack simply made the users wait while it silently mined bitcoin. Bitcoin mining malware is no longer a what if, it's happened and will again to be sure. I don't believe that this will be the last time we see this kind of attack in use, and the next iterations may be even more nefarious.

Blockchain is everywhere

I believe it's high time we all accept the fact that blockchain technology is here to stay. The initial use of blockchain in cryptocurrency was enough to ensure its permanence, but now we also see it taking off in myriad other applications as well.

Have you seen CryptoKitties?

The use of blockchain for creating and tracking ownership of digital animals is cute. However, applications of blockchain are also becoming commonplace in maintaining your personal identity, financial data, and healthcare data.

Blockchain is here to stay.

How We Got in This Spot

I'm not at all surprised to see reports of hidden mining operations. In fact, I'm amazed it hasn't happened more. Enterprises around the world are increasingly making use of open source software, and quite often without a thought as to where it comes from or exactly what it's capable of. The commonplace nature of open source libraries and the speed of software development practices today creates a perfect storm of opportunity for attacks based on mining currency.

Often, the conditions for such an attack exist because we assume that either it won't happen to us, or that the technology is not available for attackers to perform such a feat. We think it will happen in the future, but the reality is that the future is advancing faster than we realize.

It's also true that in many cases we still have an element of trust in open source software and for a good reason. The internet is powered by machines running Linux; an open-source operating system supported and maintained by a worldwide community of developers doing their part to make the world a better place.

Unfortunately, that trust creates the conditions giving an opportunity to bad actors to embed malicious code in software that appears otherwise useful.

The POC was an exploration of how a web application could be held for ransom until the mining operation completed or a ransom was paid. But, I would bet that aside from ransomware latching on to our data, there are probably mining operations taking place on enterprise sites today without notice. They could be quietly consuming CPU time in small bits alongside everyday consumer traffic.

In either case, I'm confident we'll see more of this take place as attackers look for ways to ensure their payment.

How This Affects Enterprise Use of Open Source

So, what is to be done to protect ourselves from malicious code either holding our site for ransom or quietly mining coin while our customers see the delay?

To start with, we have to be even more vigilant about what goes into our software and our enterprise. At SourceClear we've made this the mainstay of our operation, ferreting out vulnerabilities in open source code and revealing them to our customers.

A very interesting method of attack in use these days is called "typosquatting." Typosquatting involves the creation of an open source library very similarly named to an existing popular package. A developer searching for the popular package may unwittingly select the typo for use in their project. The imposter version will contain the malicious code, in this case, a bitcoin miner.

A knee-jerk reaction might be to halt the use of open source software, or at least require human review of every package before use. These sound like viable options, but the reality is that the speed of modern software development practices no longer allows for this.

The answer is not avoiding the use of open source. This is simply is how software is written these days. To avoid open source entirely would put your business at a severe disadvantage.

We also can't manually review every package for similar reasons. There just isn't enough time.

The answer, though simple, involves rethinking how we deliver software.

Build Security In

To avoid the delays associated with manual review and ensure against malicious code making its way into our software, every build and every deployment must contain tests to identify open source code in use and flag vulnerabilities from potentially malicious code, either intentional or unintentional.

Be vigilant

It's easy to skip checks like these when the cost of tooling or the complexity of integration threatens our delivery timeline. But, to protect the enterprise and our customers, we have to ensure that the built-in security practices are implemented on every single piece of software we ship without exception.

Nothing should be allowed out the door that doesn't have security tests baked in.

Continue to innovate

Bad actors will continue to find ways to survive and thrive in the new economy of digital currency. As we've seen, they're becoming more advanced every day, finding ways around our security controls to generate revenue for their enterprise.

Our best hope to thwart their efforts to either hold our applications for ransom, or leverage our infrastructure for their purpose is to continue to innovate. We have to be smarter than the bad guys and more consistent in our application of tools, technology, and process to ensure secure software development practices are followed.

The Future is Now

Our world is getting more complex, not less. The speed of software development is getting faster and faster as we rely more and more on continuous integration and delivery. Blockchain will continue to evolve and become faster and more a part of our world. Open source will continue to grow at exponential rates and attacks using open source flaws will continue to be found and exploited.

SourceClear will continue to innovate in this field.

And you must be ready for change, adapting to this changing world.

Mark Curphey, Vice President, Strategy
Mark Curphey is the Vice President of Strategy at Veracode. Mark is the founder and CEO of SourceClear, a software composition analysis solution designed for DevSecOps, which was acquired by CA Technologies in 2018. In 2001, he founded the Open Web Application Security Project (OWASP), a non-profit organization known for its Top 10 list of Most Critical Web Application Security Risks.
Mark moved to the U.S. in 2000 to join Internet Security Systems (acquired by IBM), and later held roles including director of information security at Charles Schwab, vice president of professional services at Foundstone (acquired by McAfee), and principal group program manager, developer division, at Microsoft.
Born in the UK, Mark received his B.Eng, Mechanical Engineering from the University of Brighton, and his Masters in Information Security from Royal Holloway, University of London. In his spare time, he enjoys traveling, and cycling.