I’ll connect, Do you “mine”? Digging through the Techniques of Cryptomining Attack in a WiFi Network
John Karlo D. Agon & Lovely Jovellee Lyn S. Bruiz, G Data
In 2017, there was a massive increase in the volume of cryptomining attacks by 8,500%. The highest value for a collective miner revenue has amounted to roughly $50 million dollars. No wonder that there was a shift on the mindset of cybercriminals from blatant extortion, such as the proliferation of Ransomware, to subtle way of acquiring cryptocurrency through cryptomining. So why bother forcing the victims to pay ransom, when they can be enslaved and mine for them instead?
Cybercriminals always look for different ways to inject coinminers to victim’s devices – and one of the unique ways to do this is through wireless connection. In fact, there was an incident in Starbucks Buenos Aires, Argentina where a customer connected to the store’s WiFi network and discovered a cryptomining script in their webpage. What makes this interesting is that there were no similar incidents in other branches – which indicates that this is an isolated and targeted attack on the local network.
To have a better understanding primarily on how this new attack vector poses a threat to WiFi users and eventually plot possible prevention and mitigation steps, this research explores and replicates the attack on a local WiFi network to mine cryptocurrency. This research will layout holistic view of the cryptomining infection in a WiFi network using a Github Project called, CoffeeMiner as well as dig deeper on how this attack redirects all HTTP requests of the victim to the attacker leading to the injection of the mining script to all of the webpages requested by the victim by utilizing “mitmproxy” – a popular open source https proxy and Man-In-The-Middle framework. This research will also demonstrate the versatility of the attack, which can mine several cryptocurrencies like Monero, Electroneum etc. whose impact is not only on PCs, but even on mobile devices. Lastly, the paper establishes how this attack can potentially be the stepping stone for more advance type of cryptomining attacks.
More importantly, this research identifies solutions on how to distinguish and prevent cryptomining attack in a public wireless connection. Practical approaches such as checking of CPU usage, machine behavior and other system modifications are discussed and can be as extensive as to the installation of different browser plugins and extensions such as NoScripts, Force HTTPS, No Coin and minerBlock are explored. Moreover, simple techniques and native tools are showcased to identify if the system is under Man-In-The-Middle Attack. After all, despite of the ever-evolving threats such as this, practical and simple solutions are still proven methods for people to safely connect to our digital network and prevent from being “mined”.
John Karlo De Mesa Agon
Before joining G DATA, Karlo has been in the Threat Analysis and Reverse Engineering area of Information Security for more than 3 years. His experience in creating pro-active detections through correlation of file metadata was critical in identifying malwares and even prevented an outbreak of ransomware on his former company’s customers. Coupling these technical skills, with fun and outgoing character, he easily blended with the team and in embracing his role and responsibilities as a Virus Analyst. In his spare time, he enjoys watching movies and anime with his wife, playing mobile/computer games, and reading novels/manga.
Lovely Jovellee Lyn Saligan Bruiz
With almost five years in the Information Security Industry, Lovely experience includes research, analysis and creating detection and remediation signatures for malicious software. She is also versed in website analysis for false positive checking and blocking. She is also working with his colleague for a malware sourcing project. On her spare time, Lovely likes to go out with her friends and family for food tripping and exploring different beaches of the Philippines.