Operation IHAZCOINS the new “Cyber” Espionage and Warfare Use-Case!
Back in December 2017 I was asked for my predictions of what are going to be the biggest new risks / threats. One of the topics I talked about was Cyber Currency and the fact that mining rigs are low hanging fruits for Nation-State inspired attacks that can and are wreaking havoc on unsuspecting mining rig operators and owners. In a discussion I had with the interviewer I stated that as crypto currencies become more valuable so too do the reasons why crypo wallet and rig harvesting make more and more sense as compared to the risks invovled of getting caught. Rig and Wallet Owners are primary targets and infecting these unsuspecting victims with new expoits that shapshift and transfer balances in smaller transactions become more and more the norm in $Random Nation-States black budget financing and espionage activities.
One of the interesting aspects is that we also can use these “rigs” to also process hash cracking jobs that one could send out as supposedly legitimate jobs or just own the rigs and include them in gpu based attack servers that could completely disrupt a country in no time. Imagine that type of firepower in certain types of number crunching based attacks or DDOS disruptions in combination to the latest memcache exploits that can be used from millions of website servers incorrectly configured. These are multiple types of risks that are not being tracked with classical security tech or those fancy schmancy AI based solutions out there. AI is a possible direction that we can use in the future but even here and now we are seeing more AI based attacks and they are (thank God) not real AI yet….
Security Industry Response
As in many other situations the typical security industry’s response to a new threat is to apply a (nuc) when a scapel or more detailed analysis and pinpoint solutions are actuallywhat was needed. Applying “sloppy” wide ranging “fixes” to a specific and unique risk is (IMHO) nonsense as you dilute the attack lessons learned and data that can be captured about what the end game really is (classical forensics and analysis… btw no sign of real AI here yet so thats also a common ruse and mistake $Random CISO makes when listening to a shiny sale pitch from $Random Cyber Defense Company) In addition finding out what the actual targets are for these attacks or applying some commonsense lead many in the security community to cry foul when the classification is (surprise, surprise) cyber crime. I have discussed for years the fact that our classification of cyber crime has and is broken because those classifiers that stamp cyber crime are just not looking at the whole attack picture. I sometimes wonder if no one actually teaches forensics in all those new shinny degrees at all these “expert” schools…. Anyway getting back to the reason for this post and IHAZCOINS.
Mining Rigs, OS’s and Security
If you are part of the “mining” industry or group you will have no doubt heard about which different types of mining pools and mining software exist that uses any “surplus” resources of systems in order to min alt (alternative) coins that are more economical than Bitcoin or Litecoin. We also see two main types of Linux and Windows software, mining and configuration groups that are widely used for Ethereum, Monero and other Alt coin mining. These rigs (the picture above is one of the test systems we used to POC different technology) have Windows or EthOS (a linux based derivative based on GPU mining rigs). EthOS currently has more than 500K GPUs and more than 88K rigs world wide (that are registered) using the OS. The windows numbers are not clear but should be the same to more than EthOS because of the ease of use in existing desktops. GPUs are the Graphical Processing Units of graphics cards which are great and fast at breaking and calculating hash values (or breaking them).
The EthOS website is here http://ethosdistro.com/
There are many websites use to download mining software one of which is: https://desktopmining.net/
Mining pools and charges
When you read the site is basicly states that they are in London, UK If you dig into the DNS information you will find that they have at least two Ips you can start to research into. One of those IPs leads to Singapor so not quite sure what that means without further analysis. The other IP shows up as CloudFlare and was involved in a few previous attacks to that IP. What this means is that without any real knowledge people are downloading software that mines varoius different coins based on your settings and processes jobs that seek to calculate hashes that result in values that are verified. These hashes can basically be anything though so the questions I am asking is if a hash can be tampered with via the software to break hashes of passwords and other data that is not related to coin transactions. The answer to this is yes, it is possible. Another use case for subjecting mining software for other uses is through “mining processing charges” these are tasks that are processed by the pool and then the pool charges you a service charge. No one has been researching wether this is really a service charge or something much more sinister. It is absolutlly realistic to think that some mining pools can be tampered or used to finance actitvies that are illegal and or downright amoral. One example is that a mining company was closed down a few weeks ago because the mining wallet address was traced back to Russia and was suspected of financing illegal actitivies in Eastern Ukraine seperatists.
Why talk about where the money goes? Well it is important to find out what types of risks mining rigs and software that is not maintained or poorly configured and has at best a basic type of security (mining rigs need to be accessible to owners when hosted…
If you are going to mine then I suggest heading to Hashflare, nanopool or slush as some good starting points and sites that are used by many newbie miners and older pros alike.
Some examples of mining pools:
Nano pool offers pools and mining software for multiple coins and alt-coins. Some of the coins that nanopool offers are Ethereum, Monero, Pascal, SiaCoin and ZCash.
Wallets and Storage
There are some new ways that people are using in thosands to store and keep thier coins stashed away for a rainy day. Its a simple reason that makes tracking your coin an alt-coin balances without actively trading them somewhere that would also mean you need to pay more taxes. Many of the wallet addresses we are starting to track and trace in an effort to find out how many new wallet theft based attacks are going to countries that require money to finance illegal activties or wars. Black budgets are a fanastic model for crypto-currencies for nation-states to hide in plain site what they are doing. It also makes us normal folks more headaches. Enter the next Risk factor which is syphoning smaller amounts of crypto-currencies to other wallets via breached and backdoored wallet apps. This is a great way in which to hide again in plain sight and get money to other wallet addresses that are used by nation-states in an effort to cause even more disruption in markets and politics (see an earlier post about social botnets).
One word of advice I want to give is knowing the developer of the wallet software you are about to use to store your eCash. We would never give our wallet with actual money to a stranger yet many people starting off in crypto-currencies are doing exactly that! Do research on the wallet app you are about to download and check out the companies plan for charges and functionality as well as which wallet / coins it supports. If you find a wallet that looks to good to be true, it likely is and will syphon off coins from your storage. We have seen these types of attacks increase in the last few months and it will get worse.
Some wallets that we have looked at so far that are being used but also have some issues:
Jaxx Wallet : https://jaxx.io/
Jaxx offers both a mobile phone app as well as a hybrid haardware version.
Ledger Wallet (hardware based usb coin wallet: https://www.ledgerwallet.com/products/ledger-nano-s?utm_source=https://www.disruptordaily.com/top-10-best-cryptocurrency-wallets-for-2017/&utm_medium=affiliate&utm_campaign=887b&utm_content=
Strong Coin, a hybrid solution offering the printout in pdf in order to make sure the platfrom’s owners can not ransom your wallet balance.
The last two we have only seen and heard about. Strongcoin states that they now have more than 126K users / customers. Wallet Ransoming is also a topic that is very real and relevant.
We have been using our systems to track transactions and differnt types of data to find addresses with dark or suspecious “owners”. I would argue we are doing this to protect those of us normal people that want to have a piece of the crypto pie. We are including a short overview that is simular to Banking Trojans of the past that we have traced back to specific countries.
For more details on Operation IHAZCOINS you can see our talk at Defcon Illuminati Party or as we get accepted for more talks.
Talking about risks and threats that can be exploited we also want to talk about how you can protect yourself against these threats, while more details will be released in our customer reports here are a few things we want to give you for free:
Use-Case 1 Tampered Wallet Software that redirects payments to another address. Here you can protect your self by downloading wallets from sources you have verified and know work and are used by senior miners and operators.
Use-Case 2 Pwning Rigs: Here you can make sure that your Windows or better EthOS OS is configured as securely as possible with complex passwords, verifed settings and also verified co-location partners that you have vetted. It makes sense to watch your rigs which is easy with EthOS and the Linux Platform however you do need to recheck for updates and patches weekly as sometimes updates to miner software and OS are sent frequently.
USE-Case 3 Fake Mining Pools: There are mining pools out there that are fake or at the very least questionable. They result in up to half of your time being “shared” mining for your address and the mining facility or pool. Most legitimate pools with take up to 2%, more is questionable and means you need to do more research. The pools I listed above seem to be legitimate whereby hashflare.io enables you to rent mining resources for money. The hope is you mine more than you paid.
Use-Case 4 Wallet Ransom: This use case is something that we are starting to see more off in 2018. In this case your encryption keys are copied on the wallet developers platform or comprimised so that a ransom of wallet balances can be done. We suggest looking at solutions like hybrid wallets or strong coin if you don`t want to risk losing your money.
Using CyberNSight for Risk Intelligence: Many of the IOCs (indicators of compromise or breaches can be found using risk intelligence and our platform helps you identify things like fake mining pools, questionable domains and also potentially breached rigs. The solution gos much deeper focusing on risks rather than threats in an effort to stay ahaed of the game in regards to potential attacks and attackers.
So thats it for now, I hope you liked it. If you want to book me for speaker engagments please contact [email protected] or through the IP Party members. Also check out my Youtube Channel with some of the talks I have done relating to some of the areas in this post. Lastly show some TLC by linking and telling folks about this website. And if you are a CSO,CISO or Manger that is looking to speed up your risk intelligence game, lets talk about getting you set up with our easy solution, no BS, no fancy schmancy marketing slides about how we solve all your problems, just an honest service that works. Some of the worlds bioggest regulators and companies have already trusted us and are happy with the service we provice.
Your Rev. Dr.1D10T