For years, CSOs have been fighting botnets that are stealing processing power from servers that have been infected with cryptomining malware. Tuesday, cloud computing provider Akamai described a potential solution: a proof-of-concept tool that lets defenders stop miners’ proxy servers from using compromised enterprise computers.
In its report, Akamai said that, by using the tool, it was able to stop one cryptomining proxy (a server that distributes tasks to the miners) that was generating roughly US$26,000 a year, and halt the mining by all victims that were connected to it. Had Akamai targeted additional proxies in this botnet, it believes the attackers might have abandoned the campaign.
The researchers admit that those behind this particular campaign could try to make changes to the botnet to put it back into action – but if they did, they’d risk being identified.
However, botnet creators don’t always use a proxy. In many cases, victims will connect directly to the pool, so the tactic of submitting bad shares will simply ban the defenders’ IP address from the pool without affecting the mining operation.
In that case, Akamai proposes including the capability to target the botnet’s digital wallet, a set of cryptography secrets that allows users to transact assets over the blockchain, which must be present on a victim machine and is therefore vulnerable to defenders using Akamai’s tool, XMRogue. The tactic uses a script to send more than 1,000 simultaneous login requests using the attacker’s wallet, which will force the pool to ban the wallet.
This tactic could interrupt more mining operations, but it isn’t a permanent solution, Akamai admits. Once it stopped the multiple login connections in a test, the campaign’s mining rate recovered.
“The tool we shared is currently a proof of concept, not yet ready for production use,” report author Maor Dahan said in an email to CSO. While the technique requires some expertise to use effectively, he said one of its key strengths is that a single organization can take down an entire botnet and “release” all the victims, even those who never knew they were compromised.
“Our goal is to spark new detection and prevention strategies, and eventually enable CSOs to quickly mitigate the impact of active cryptominer campaigns,” the report said.
Still, cybersecurity experts believe the tool has promise.
“I love this,” said David Shipley, CEO of Canadian security awareness provider Beauceron Security. “Imposing costs is the only way we win in the long run against cybercrime. This isn’t a silver bullet, but it will be a major pain for cryptominer botnet creators and maintainers. As those costs rise, it helps breaks the criminal business model.
“This is clever, helpful, and much needed,” he added. “On the downside, cryptomining criminals may move from this mostly annoying level of crime into more destructive crime as these kinds of disruption efforts get results.”
The method appears to work, noted Rob T. Lee, chief of research at the SANS Institute. It’s backed by a proof-of-concept and real data, he told CSO in an email, and could be used by blue teams, incident responders, or SOC analysts and not just specialized researchers.
But, he added, the tool won’t be a long-term fix. “Smarter botnets will adapt,” he said. “Decentralized ones won’t care.”
A rare win for defenders
Still, he said “Akamai just published a rare win for defenders, which in the cryptomining botnet space is truly rare. Being able to dismantle infrastructure — similar to attacking ransomware as a service infrastructure — there will be immediate wins … if the capability is active.”
Akamai says the idea behind its tool, is simple: By connecting to a malicious proxy as a miner, defenders can submit invalid mining job results — what Akamai calls “bad shares” — that will bypass the proxy validation and will be submitted to the pool. Consecutive bad shares will eventually get the proxy banned, effectively halting mining operations for the entire cryptomining botnet.
To test the technique, Akamai used XMRogue against a mining campaign and was able to extract the addresses of all mining proxies, identify the central proxy server, and ban it from the pool. It worked. When Akamai first documented this campaign, it generated almost $50,000 annually, but after it disrupted just one proxy, the campaign’s annual revenue decreased by 76% to $12,000. By targeting additional proxies, Akamai believes the revenue could have potentially dropped to zero. “This kind of impact could easily force the attackers to abandon their campaign for good, or take a risk of being identified when making changes that are being monitored,” Akamai concluded.
This doesn’t remove the malicious code from the systems, Lee of the SANS Institute pointed out, but is essentially a disabling tactic to block the core infrastructure around the mining “in a very cool and creative way.”
It will still take astute incident responders and malware analysts to eliminate the botnet software on each endpoint, he pointed out. “However,” he added, “by being able to combine techniques targeting the botnets directly and the infrastructure, let’s consider this a massive win for today.”
A new way of thinking
As cyber attacks evolve, it’s important for organizations to have a clear approach to how they want to respond, commented Fernando Montenegro, vice-president and cybersecurity practice lead at The Futurum Group. “That response may be different at the individual organization level when compared to the public response at large. I mention this because I think actions such as these are really interesting and can be helpful, but to me, they fall closer to interdiction and public response more than individual organizations. Looking at the techniques themselves, I think it’s brilliant to go after the monetization goals that attackers have.”
The ‘bad shares’ technique has proven highly effective, noted Akamai’s Dahan. “In some cases, it allowed us to completely shut down entire botnets. But our research goes beyond a single tool; it introduces a new way of thinking. Despite their distributed nature, malicious cryptomining networks almost always rely on a central ‘bottleneck’ that can be targeted to disrupt operations. While attackers may adapt to bypass this specific method, we believe defenders can uncover similar weak points across other cryptocurrencies and mining architectures.”