STE WILLIAMS

Artificial intelligence (AI) holds the promise of transforming both static and dynamic security measures to drastically reduce organizational risk exposure. Turning security policies into operational code is a daunting challenge facing agile DevOps today. In the face of constantly evolving attack tools, building a preventative defense requires a large set of contextual data such as historic actuals as well as predictive analytics and advanced modeling. Even if such feat is accomplished, SecOps still needs a reactive, near real-time response based on live threat intelligence to augment it.

While AI is more hype than reality today, machine intelligence — also referred to as predictive machine learning — driven by a meta-analysis of large data sets that uses correlations and statistics, provides practical measures to reduce the need for human interference in policy decision-making.

A typical by-product of such application is the creation of models of behavior that can be shared across policy stores for baselining or policy modifications. The impact goes beyond SecOps and can provide the impetus for integration within broader DevOps. Adoption of AI can be disruptive to organizational processes and must sometimes be weighed in the context of dismantling analytics and rule-based models.

The application of AI must be constructed on the principle of shared security responsibility; based on this model, both technologists and organizational leaders (CSOs, CTOs, CIOs) will accept joint responsibility for securing the data and corporate assets because security is no longer strictly the domain of specialists and affects both operational and business fundamentals. The specter of draconian regulatory compliance such as fines articulated by the EU’s General Data Protection Regulation provides an evocative forcing function.

Focus on Specifics
Instead of perceiving AI as a cure-all remedy, organizations should focus on specific areas where AI holds the promise of greater effectiveness. There are specific use cases that provide a more fertile ground for the deployment and evolution of AI: rapid expansion of cloud computing, microsegmentation, and containers offer good examples. Even in these categories, shared owners must balance the promises and perils of deploying AI by recognizing the complexity of technology while avoiding the cost of totally ignoring it.

East-west and north-south architecture of data flow has its perils as we witnessed in the recent near-meltdown of public cloud services. The historic emphasis on capacity and scaling has brought us to clever model of computing which involves many layers of abstraction. With abstraction, we have essentially removed the classic stack model and therefore adding security to it presents a serious challenge.

Furthermore, the focus away from the nuts and bolts of infrastructure to application development in isolation and insulation has given birth to the expectation that even geo-scale applications inside containers and Web-scale micro services can be independently secured while maintaining an automated and scalable middleware. Hyperscale computing, relying on millisecond availability in distributed zones, is more than an infrastructure play and increasingly relies on microsegmentation and container-based application services — a phenomenon whose long-term success depends on AI.

In the ’90s, VLANs were supposed to give us protective isolation and the ability to offer a productive computing space based on roles and responsibilities. That promise had fallen far short of expectations. Microsegmentation and containers are in a way a post-computing evolution of VLANs. They have brought other benefits such as reducing pressure on firewall rules; no longer there is a need to keep track of exponentially growing rules with little visibility in situations that lead to false positives and false negatives. Although the overall attack surface is reduced, and collateral damage is partially abated, the potential for more persistent breaches are not reduced. AI tools can zero in on a smaller subset of data and create better mapping without affecting the user productivity or undermining the overlay concept of segmented computing.

It is pretty much a one-two-three punch: the organization can look at all available metadata, feed that to the AI, and then take the output of AI to predictive analytics engines and create advanced modeling of potential attacks that are either in progress or will soon commence. We are still a few years away from the implementation of another potential step: machine-to-machine learning and security measures whereby machines can observe and absorb relevant data and modify their posture to protect themselves from predicted attacks.

AI can also provide substantial value in other emerging areas such as autonomous driving. Cars are increasingly resembling computing machines with direct cloud command and control. From offline modeling based on fuzzing to real-time analysis of sensor data, we may rely on AI to reduce risks and liabilities.

Artificial intelligence is not a panacea; however, it automates repetitive tasks and alleviates mundane functions that often haunt security decision makers. Like other innovations in security, it will go through its evolutionary cycle and eventually finds its rightful place. In the meantime, there is still no sure substitute for security best practices.

Related Content:

• 8 Low or No-Cost Sources of Threat Intelligence
• Rise of the ‘Hivenet’: Botnets That Think for Themselves
• 5 Questions to Ask about Machine Learning

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Hamid Karimi has extensive knowledge about cybersecurity, and for the past 15 years his focus has been exclusively in the security space, covering diverse areas of cryptography, strong authentication, vulnerability management, and malware threats, as well as cloud and network … View Full Bio

Article source: https://www.darkreading.com/analytics/the-containerization-of-artificial-intelligence/a/d-id/1331208?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Google this week added several security features to Chrome Enterprise, the business-friendly version of its browser. Chrome Enterprise was launched in 2009 to provide access to enterprise app stores, added security controls, 24/7 support, and integration with cloud and on-premise management tools VMware Workspace ONE and Microsoft Active Directory.

Updates include four new enterprise mobility management (EMM) partnerships with Cisco Meraki, Citrix XenMobile, IBM MaaS360, and ManageEngine Mobile Device Manager Plus. These add to its first EMM partnership with VMware AirWatch, established last year.

Google is also adding support to manage Chrome OS on legacy infrastructure. Admins can configure managed extensions directly through Group Policy Objects so users can authenticate to Kerberos and NTLMv2 endpoints on their local network directly from the browser. Further, it’s extending support for common Active Directory setups, like multiple domain scenarios.

Finally, it’s expanding management controls in both the Chrome browser and Chrome OS. Per-permission extension blacklisting lets admins authorize employee access to more extensions in the Chrome Web Store but maintain granular control across Web properties. Sign-ins can be disabled from outdated operating systems, and admins can use device-wide certificates to ensure only managed devices connect to single sign-on servers.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/privacy/google-rolls-out-new-security-features-for-chrome-enterprise-/d/d-id/1331294?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Distributed denial-of-service (DDoS) attacks remain unpredictable and dangerous for enterprises, but actual details on how the threat is evolving can differ substantially by the reporting source.

Two reports released this week, one by Verisign and the other from Nexusguard, are good examples. Both vendors reported a general increase in multivector attacks and an overall decrease in the number of DDoS attacks in the fourth quarter of 2017 compared to the prior quarter but differed on the details based on data gathered from their customer engagements.

Nexusguard reported a 12% decrease in DDoS attacks between the fourth quarter of 2016 and the same quarter in 2017, and a more than 16% drop in attacks between the third and fourth quarters last year. Verisign pegged the decrease in DDoS attacks during the same period at a somewhat higher 25% and said the number of attacks has continued to decrease from quarter to quarter.

Nexusguard says multivector, blended threats represented some 56% of recorded attacks last quarter while single-vector attacks accounted for just over 43%. Two-vector attacks — such as those combining UDP and DNS — accounted for nearly 33% of all multivector accounts, while three-vector attacks accounted for about 15%, according to Nexusguard.

Verisign, meanwhile, says a massive 82% of the DDoS attacks it mitigated in the fourth quarter of last year employed multiple attack types. While Nexusguard had two-vector attacks as the most common multivector attack type, Verisign says 46% of multivector attacks it encountered involved five or more attack types.

The largest DDoS attack that Verisign dealt with last quarter topped out at 53 Gbps, while Nexusguard said the largest one it encountered weighed in at over 231 Gbps. Both vendors had roughly the same estimates for average peak attack sizes, with a substantial proportion falling under 10 Gbps. Verisign, however, noted a 32% year-over-year decrease in the average of attack peak sizes.

For Nexusguard, one key takeaway from its observations last quarter was the sharp increase in amplification attacks involving DNSSEC-enabled servers. Nexusguard says the number of DNS reflection attacks in the fourth quarter of 2017 soared nearly 110% over the preceding quarter, while DDoS attacks using DNS amplification increased nearly 358% compared with the fourth quarter of 2016.

The decrease in DDoS attacks during the fourth quarter of 2017 that both Verisign and Nexusguard reported is somewhat at odds with report from other vendors. Martin McKeay, global security advocate and lead author of Akamai’s recently released State of the Internet Security Report, for instance, says DDoS attack volumes have only increased over the past few years.

“Akamai saw an almost identical number of attacks in Q4 2017 vs. Q3 2017, though the number of attacks had grown by 14% since the same time in 2016,” he says. “From what we’ve seen, the number of attacks has been relatively steady quarter over quarter recently, and has grown significantly year over year for as long as we’ve been tracking the count of attacks.”

The same is true of attack sizes, he says. “While we’d seen a general downward trend throughout 2016 in the median size of attacks from slightly over 1 Gbps, that trend changed in the second half of the year, to climb back to a median attack size of 750 Mbps,” he says.

Similarly, Akamai has not seen a significant increase in attacks involving DNS- and DNSSEC-enabled domains. McKeay says DNS and DNSSEC have been a component of approximately 25% of the attacks Akamai has seen for several years.

Ashley Stephenson, CEO of Corero, has similar views on DDoS trends and says he hasn’t seen anything to suggest a recent decline in number of attacks. Like McKeay, Stephenson says Corero hasn’t observed the sharp increase in DNSSEC amplification attacks that Nexusguard reported, though he agrees that multivector attacks have become more common.

The differences in reports, according to Stephenson, have a lot to do with how and where the data is captured and even with how different organizations define DDoS attacks. For an organization in the online gaming industry, for instance, traffic of something in the 500 Mbps to 1 Gbps range could be enough to constitute a DDoS attack. “An attack of that size is not going to be significant to a large financial institution or a bank that has a large data center,” and probably wouldn’t be counted as a DDoS attack.

Average attack size can also often be misleading, says McKeay. In many cases, one or two large attacks can easily throw reporting out of balance, which is why it is better to track median attack size instead, he says. “Large attacks, or a lack of, can easily skew an average attack-size metric, making the number unreliable.”

Where the attack is measured can make a big difference as well. Attacks that are measured close to the source will be substantially larger than attacks that are measured close to the destination or target — sometimes by a 10-to-1 factor, Stephenson says.

A content delivery network, for instance, might measure the source of an attack, but the reality is that a lot of the traffic at the source will never get to the destination, he says. Similarly, a service provider might report on DDoS traffic from somewhere in the middle, away from the source and the destination, and the numbers they observe will be different from the numbers at the destination. So, while you might have terabits of data at the origin, what comes out at the other end of the funnel can be much smaller, Stephenson says.

“Ultimately, if you are an enterprise you have to be most concerned about what impacts you,” Stephenson says.

Related Content:

• Memcached Servers Being Exploited in Huge DDoS Attacks
• DDoS Attacks Become More Complex and Costly
• GitHub Among Victims of Massive DDoS Attack Wave
• 7 Things to Know About Today’s DDoS Attacks

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/are-ddos-attacks-increasing-or-decreasing-depends-on-whom-you-ask/d/d-id/1331291?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

If you’ve visited a news sites recently, you’re probably aware of the war between these sites and ad blockers. It’s understandable — these outlets need advertising revenue to make money, so they need their visitors to watch ads.

However, you may be less aware of the invisible war between web complexity and security that’s happening because of modern advertising and analytics. Unfortunately, the same mechanisms that allow news sites to quickly add revenue-generating advertisements also lead to horribly complex and potentially insecure Web applications, which criminal “malvertisers” exploit.

To illustrate this complexity-versus-security issue, I visited an average site using one of my favorite security plug-ins: NoScript.

NoScript is a great Firefox browser plug-in that blocks all active scripting such as JavaScript, Java, Flash, ActiveX, etc., on a Web page by default. There are similar extensions, such as ScriptSafe, for other browsers. Doing this helps protect you from many types of web-based attacks, since they usually require scripting to succeed.

Many legitimate sites use scripting for reasonable things such as advertisements, so using these extensions becomes a process of whitelisting the real sites that you want to let run script, while blocking unknown and suspicious domains. Using these plug-ins also shows how many different domains you actually visit when you go to “one” Internet site.

Let’s look at an example: CNN.com.

When you first visit CNN.com with a fresh, default installation of NoScript, you don’t see much at all because the extension even blocks CNN’s scripts. NoScript warns me that it blocked 31 items — a mixture of scripts and fonts.

NoScript’s dropdown menu shows all the extra content from other domains that CNN wants to load. I’ll begin sparingly, and just allow script and content that comes from CNN’s specific domain. This means continuing to ignore script from Chartbeat.com, Optimizely.com, and Sharethrough.com.

I’ve personally used these plug-ins enough that I recognize those domains and know they’re “legitimate.” Chartbeat is data visualizing software, Optimizely is a third-party site optimization tool and Sharethrough is advertising software. While I might recognize those domains from experience, how would the average user know this? More importantly, each domain CNN trusts adds more potential attack surface. If one of those third parties is careless, CNN’s site and visitors might pay too.

After I trust the CNN.com domain, the site reloads again. This time NoScript allows CNN’s scripts to run, and I can start to see some page content. Now NoScript warns that seven more untrusted scripts have tried to run, because the scripts I’ve allowed from CNN are loading more content from other domains. The image below only represents part of the results, as it scrolls off the page.

This time, I get a little more generous with my trust. I recognize Google, Amazon, Twitter and Bing, so I trust anything with those in the name (even if it isn’t the root domain). I figure CNN.io and CNN.net are also part CNN, so I trust those too. Another page reload, and another NoScript result. This time, despite trusting so much more, the site attempts to run 24 newly blocked scripts and loads content from even more domains.

By now, you see the trend. CNN’s page is loading a ton of scripted content from other third-party domains, which in turn loads more content from other third- parties. In the end, I eventually “trust” every single thing CNN wants me to and get this final list of all the domains CNN.com loads.

So, I visited one page in my browser — CNN.com — and it loaded content from 47 other domains and ran many scripts from other domains.

In this case, CNN.com isn’t compromised, but imagine if CNN did suffer some flaw that allowed attackers to inject code, like a hidden iframe. How would anyone spot one malicious domain, when normal sites typically load so much third-party content already?

Worse yet, what if one of those third parties got compromised? If an advertising network got infected by a criminal that bought ad space for malicious purposes, the hidden iframe might come from one of these other domains CNN is trusting. In fact, malvertising — malicious advertising — campaigns are common nowadays, and often go undetected for long periods of time. A site like CNN makes a great “watering hole” to infect a big pool of victims.

This isn’t unique to CNN and I don’t mean to pick on it specifically. This issue is that the industry has moved toward accepting complexity as standard practice.

Tools like NoScript let users protect themselves from some of the risks of malicious advertisements, and I suggest everyone use them until the industry simplifies some of these websites or gets smarter about how they deliver targeted ads.

In short, we are at an impasse between ad revenue and security. Sites need to generate revenue, but the complexity from these third-party connections introduces potential insecurities and a wider attack surface. There should be a balance between security and acceptable business risks, but this level of website complexity tips the scales too far away from security.

For more, Corey Nachreiner has a video on the topic, available here. 

Related Content:

• 10 Can’t-Miss Talks at Black Hat Asia
• New Ad Fraud Campaign Uses Millions of Domain Names to Bilk Advertising Networks
• 8 Most Overlooked Security Threats

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Check out the security track here. Early Bird Rates expire Friday March 16. Use Promo Code DR200  save $200. 

Corey Nachreiner regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. He has written thousands of security alerts and educational articles and is the primary contributor to the WatchGuard Security Center blog, … View Full Bio

Article source: https://www.darkreading.com/endpoint/online-ads-vs-security-an-invisible-war/a/d-id/1331236?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The Trump administration today shifted gears and called out Russia for cyberattacks and online election-meddling online by levying financial sanctions against five organizations and 15 individuals in Russia as well as by issuing an alert on that nation’s targeting of US critical infrastructure and energy networks.

It was a double-whammy but mostly symbolic move by the administration that came in the wake of international pressure after months of lukewarm response to Russian cyber threats. The administration late last month chimed in after the UK in naming Russian military hackers behind the crippling NotPetya ransomware campaign in June 2017 aimed at destabilizing Ukraine and that spread to other nations, including the US. Via a statement from the White House Press Secretary’s office, the administration warned that the attacks “will be met with international consequences.”

The sanctions announcement today by the US Department of Treasury as well as the US Department of Homeland Security (DHC) US-CERT alert hit after a joint statement this morning by the US, UK, Germany, and France that Russia was behind the so-called military-grade nerve-agent attack on former Russian spy Sergei Skripal and his daughter in the UK last week.

Among the sanctioned Russians are officials with the Russian military agency, aka the GRU, hackers, and 13 so-called troll operatives from Russia – including the infamous Internet Research Agency (IRA) – who previously were indicted by special counsel Robert Mueller for meddling in the 2016 US presidential election. Treasury announced the moves as part of the Countering America’s Adversaries Through Sanctions Act (CAATSA) as well as Executive Order 13694 (Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities).

The timing was right politically for the administration to pivot and turn up the heat on Russian hacking, experts say, even though sanctions are mostly symbolic. “Talking tough on Russia and doing sanctions on meddling would be a tacit admission of Russia playing in our elections and could be used by others to continue to question his legitimacy as president,” explains John Bambenek, a vice president at cybersecurity firm ThreatSTOP. “The chief geopolitical mistake Russia made were those flagrant assassinations in the UK. Now it’s possible to pivot to where I think they wanted to be without being in the mire of ‘Putin elected Trump.'”

The US Department of Homeland Security (DHS) and the FBI, meanwhile, issued an alert via US-CERT that warns of a known multi-stage attack campaign by Russian government hackers to collect intel on US energy ICS networks. The alert calls out a specific and known Russian APT threat group, Dragonfly, which long has been targeting US energy entities. The agencies also issued indicators of compromise as well as technical details of the attack patterns, which include spear-phishing attacks using compromised, legitimate email accounts as their first “staging” target victims, which then provide entrée into the ultimate larger targets, ICS networks. 

“The Administration is confronting and countering malign Russian cyber activity, including their attempted interference in US elections, destructive cyberattacks, and intrusions targeting critical infrastructure,” Treasury Secretary Steven T. Mnuchin said in a statement. “These targeted sanctions are a part of a broader effort to address the ongoing nefarious attacks emanating from Russia. Treasury intends to impose additional CAATSA sanctions, informed by our intelligence community, to hold Russian government officials and oligarchs accountable for their destabilizing activities by severing their access to the US financial system.”

The sanctioned Russians and organizations will have any assets in the US frozen, and will be unable to conduct business with Americans. Under an amended Executive Order 13694, the 13 troll operatives with IRA were named, as well as the IRA and other organizations involved. Under the CAATSA sanctions, the US named Russia’s Federal Security Service (FSB), GRU, and five Russian individuals: Sergei Afanasyev, associated with the GRU; Vladimir Alexseyev, associated with the GRU; Sergey Gizunov, associated with the GRU; Igor Korobov, associated with the GRU and its chief as of January of this year;  Igor Kostyukov, associated with the GRU; and Grigoriy Molchanov, also associated with the GRU.

Those five Russians had previously been sanctioned under the Obama administration.

President Donald Trump in March 2017 quietly extended for one year the “national emergency” executive order issued by his predecessor Barack Obama that ultimately led to the sanctions and retaliatory measures taken by the Obama administration against Russian officials for that nation’s role in hacking activities targeting the US election.  

Status Quo

Security experts don’t expect the sanctions to force Russia to curb its cyberattacks against the US. “The Russians will hit back on sanctions with [more] cyberattacks,” says Tom Kellermann, chief cybersecurity officer with Carbon Black.

Russia also may slap the US with some sanctions of its own, notes ThreatSTOP’s Bambenek. “I think we have run out of the ‘easy’ sanctions that can cause impact. Most of the 13 indicted are, in effect, nobodies,” he says. “I suspect Russia’s first shot at retaliation is going to be at the UK because that is higher profile. I think Russia would like to do something to us on cyber-sanctions” especially in the wake of the US government’s ban on Kaspersky Lab software, he says.

Related Content:

• 8 Nation-State Hacking Groups to Watch in 2018
• 13 Russians Indicted for Massive Operation to Sway US Election
• White House: Russian Military Behind NotPetya Attacks
• Russia, Russia, Russia: What Clinton or Trump Can Do About Nation-State Hacking Gone Wild

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here./strong

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/trump-administration-slaps-sanctions-on-russian-hackers-operatives/d/d-id/1331288?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The latest malware threat doesn’t encrypt your files, delete your data, steal your information, or even deface your website: All it does is steal your productivity and electricity in order to make money for the attacker. And it’s becoming a huge threat to corporate IT.

Cyptocurrency miners have been in the news as legitimate miners search out towns with cheap electricity and plentiful empty space. Unethical and criminal cryptocurrency miners have discovered that the cheapest electricity is power that someone else pays for, and the most plentiful space that in someone else’s data center. And the rewards of cryptocurrency speculation make the (currently small) risk of discovery worth it for many actors.

In a new report, researchers at Secureworks note that the cryptocurrency market grew from approximately $18 billion to more than $600 billion during 2017. The rise in value has been accompanied by a rise in crypto-miner malware. Secureworks says that the number of alerts related to cryptocurrency mining they’ve seen in their client base has jumped significantly, from 40,000 in May of 2017 to over 280,000 in October 2017. While settling back slightly, they say that the number of “cryptojacking” alerts has remained high through February of this year.

Risks Rise

Unauthorized cryptocurrency mining can cost critical servers and applications to become unavailable as their processing capacity is consumed. Even more worrisome is the fact that the threat actors, who have infected the computers with cryptocurrency mining malware, can and will deploy additional and potentially more lethal malware onto these systems, such as banking Trojans or ransomware.

“There’s a temptation for people to see the miners as a lesser danger because they’re less disruptive, but they’re not a good thing to have on your network,” says Mike McLellan, Secureworks Counter Threat Unit (CTU) Sr. security researcher. “They signify a failure of technical controls.”

McLellan says that his group is trying to raise awareness of the problem so that companies will see cryptocurrency miners as a security issue on the same level as banking Trojans and other well-known types of malware because monitoring networks are seeing a shift to the miners from older types of intrusion. “I think a lot of organizations will have these on their networks,” he says, simply because they’re becoming a popular way for criminals to make money.

Criminals have become creative in finding ways to place cryptocurrency miners on victims’ systems. “I think one of the interesting things is the sheer breadth of the delivery mechanisms being used,” McLellan explains. “We’ve seen scan exploit techniques as well as spam and Web link poisoning.”

Other researchers have found criminal networks using the NSA’s EternalBlue exploit to plant miners on more than half a million PCs. Secureworks reported on attackers who exploited unpatched vulnerabilities in Oracle WebLogic servers to embed miners on both Windows and Linux servers.

Vulnerabilities in Web servers have also been exploited, as researcher Troy Mursch demonstrated when he found more than 50,000 websites (including many based on WordPress) that have been infected and are now busily mining cryptocurrency for their controllers.

Illicit Mining’s Impact

McLellan says that convincing computer owners of the seriousness of cryptojacking attacks can be difficult since the immediate impact is often invisible; electrical costs can go up and server performance can go down, though it can be difficult for an administrator to point immediately at a crypocurrency miner as the reason.

Often, it’s not until the miner’s resource demands become too high that owners notice. “When the malware gets on business critical computers, the critical applications can become unstable or unusable because of the demands on the system of the cryptominers,” says McLellan.

In many ways, the mining malware’s more critical impact is as a harbinger of potential damage to come. Cryptojacking applications are a malicious payload that can be delivered through a variety of means. And if cyptojackers can be successfully delivered, so can other malware.

The rise in cryptojackers could also have an impact on open source development. Recently, criminals placed a cryptocurrency miner in a forked project on Github. Notably, this code also included limits on how much CPU resource the code could use – obviously an attempt to evade detection through one of the more notorious side-effects of miners.

“But cybercriminal cryptocurrency mining isn’t just about device wear and tear, or even the power consumption involved. It’s also a reflection of the ever-evolving technology landscape and the risks and threats that can come with it,” Trend Micro senior product manager Menard Osena, wrote in a recent blog post. “And just like ransomware, we expect cryptocurrency-mining malware to be as diverse as they are common, using a plethora of ways to infect systems and even inadvertently turn their victims a part of the problem.”

Because cryptocurrency miners tend to use existing exploit kits to carry their payload, existing defenses can work to keep them at bay. “The key message is that, if organizations are using good hygiene, they should be able to catch these,” McLellan says. “On the flip side, if you do these things to stop cryptocurrency miners, you also stop a number of other threats like ransomware. There’s nothing unique there, it’s just about doing the basics.”

Related Content:

• Microsoft Report Details Different Forms of Cryptominers
• FlawedAmmyy RAT Campaign Puts New Spin on Old Threat
• Attackers Use Infected Plug-In to Install Cryptomining Tool on Over 4200 Websites
• Radiflow Reveals First Documented Cryptocurrency Malware Attack on a SCADA Network

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Curtis Franklin Jr. is executive editor for technical content at InformationWeek. In this role he oversees product and technology coverage for the publication. In addition he acts as executive producer for InformationWeek Radio and Interop Radio where he works with … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/cryptojacking-threat-continues-to-rise/d/d-id/1331289?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple