LAS VEGAS — Cisco Talos’ Craig Williams says 2017 was the year of ransomware, “and 2018 is moving into the year of cryptomining.”
Talos is Cisco’s threat research team made up of about 300 researchers globally. Williams is the group’s director of outreach. He and other Talos members set up shop at a room with a fireplace inside the Irish Pub at Mandalay Bay during last week’s Black Hat security conference.
The explosive growth in cryptojacking has been well documented. Symantec researchers reported cryptocurrency coin mining grew by a whopping 8,500 percent in 2017, and RedLock’s cloud security intelligence team discovered that 25 percent of organizations had their cloud compute resources stolen specifically to mine cryptocurrency — a three-fold increase in cryptojacking incidents from the 8 percent reported last quarter.
And Cisco itself said its technology caught thousands of threats on Mobile World Congress’ public network, which provided Internet connectivity for the annual show’s 107,000 attendees in Barcelona, Spain. This included a “significant” amount of cryptomining.
One reason for the spike in cryptomining is that it usually flies under the radar because it’s difficult to detect. Also, it is tough for law enforcement to determine damage.
Essentially, it’s a cheap, easy way to make money, requiring just a couple of lines of code to operate in addition to stolen processing power and cloud CPU usage. Whereas with ransomware a company knows immediately if a machine is infected.
“From an IR [incident-response] perspective, with ransomware you have people that pay or don’t pay,” said Sean Mason, director of threat management and incident response at Cisco. “But if you’re mining, you’re trying to go low and slow. The theory being if you’re not shutting down an entire business, you won’t be detected.”
Mason said the incident response team sees commodity malware on the uptick — this is more generic malicious code designed to infect a range of operating systems or devices. It is easily spread through phishing emails or fake website links.
“There’s also a lot of concern around election security,” Mason added. “We’ve been fielding a lot of calls and working with a lot of different government places saying we know what happened in our last election process, and we don’t want that to happen again.” While he can’t name specific municipalities or say how many Cisco is working with, “it’s a significant amount,” Mason said.
When asked to rank U.S. election security preparedness, Mason said “little to none.”
And, indeed, a couple days later at Def Con adults and kids hacked voting system replicas and changed election results.
“Across the U.S. you have different ways of handling elections, some are more computerized than others, and systems are different,” Mason said. Plus, many are run by volunteers — not security professionals.
“Elections are a short sprint,” he said. “In six to eight weeks you’re spinning up an environment, you need to defend it, and if something happens you need to jump in, contain it, and then respond to it. It’s the scalability factor — how do you take something that is great at the state and local government level and scale up.”
Security Hygiene and Segmentation
So what can organizations do to minimize risks? Both Mason and Williams said basic security hygiene remains a problem.
Williams said best security practices start with patching. “No. 1 is to patch,” he said. “Go to your web browsers, remove plug-ins you don’t need. If you don’t need flash, you should not be running it. Install an ad blocker. The second one is to educate your users. Make sure users know not to click on strange links or click on plug-ins to watch a video.”
Network segmentation can also reduce risk to organizations’ data, Mason said. This works by separating systems or applications into smaller networks to control access — and, thus, restrict malware from spreading. “For ransomware, or attacks going east-west, network segmentation has saved the bacon for a lot of organizations.”