Cryptocurrency mining malware may end up being a bigger problem than WannaCry

Organizations that think they dodged a bullet when their older systems did not fall prey to the WannaCry ransomware may want to think again. Weeks prior to the WannaCry attacks, a group of hackers was taking advantage of the same Windows vulnerabilities that WannaCry exploited. Instead of locking down systems with ransomware, these cyber criminals were putting them to work, using a cryptocurrency mining malware called Adylkuzz.

Not only did users have no idea their machines had been turned into cryptocurrency mining zombies, but Adylkuzz acted as a sort of vaccine for machines against the WannaCry malware so that mining operations would continue unimpeded. So, in a bizarre twist, had it not been for Adylkuzz, the WannaCry attacks may have been even larger and more destructive.

That’s not to say Adylkuzz is benign. Just as WannaCry was a warning shot for the destructive potential of ransomware, Adylkuzz sounded the alarm about the next threat on the horizon: cryptocurrency mining malware.

Cryptocurrency 101

Cryptocurrencies are digital or virtual currencies that use cryptography to prevent counterfeiting. They are distinguished from “fiat currency” – the dollars, euros, and other money issued by governments – because they are not issued by a central authority or representative of debts. They are sometimes referred to as “hard” or “sound” money and are more similar to gold bars than dollar bills. The most well-known and widely used cryptocurrency is Bitcoin, which was invented in 2009 as a byproduct of the blockchain technology that enables it.

Although there is nothing inherently nefarious about cryptocurrencies, they have come under fire for their popularity among cyber criminals. While many perfectly legitimate businesses accept payment in Bitcoin, it also is the de facto currency of the Dark Net, and most ransomware variants demand payments be rendered in it.

New units of digital currencies are created through a process known as cryptocurrency mining. “Miners” solve highly complex cryptography problems that allow them to add blocks to the blockchain, and they are rewarded for their efforts with free cryptocurrency units. To prevent devaluation, all digital currencies have a cap on how many units can ultimately be mined; Bitcoin’s cap is 21 million units and, as of this writing, about 5 million are left to be mined.

Cryptocurrencies have another failsafe to prevent devaluation and other forms of abuse: The problems miners must solve suck up enormous amounts of processing power, which means that miners who want to use their own equipment are looking at a capital investment in highly specialized hardware. For those who don’t want to spend the money, cryptocurrency mining malware such as Adylkuzz has emerged. Although Adylkuzz takes advantage of the same Windows vulnerabilities as WannaCry, it behaves more like the Mirai botnet. It does not lock down systems or access data; instead, it goes after a machine’s processing power, hijacking it and using it to mine units of a Bitcoin competitor called Monero, a “next-generation” cryptocurrency that is growing in popularity among cyber criminals because it promises even stronger anonymity than Bitcoin.

Adylkuzz has proven to be far more lucrative than WannaCry; it’s estimated that rogue Monero miners have raked in 10 times more money than the WannaCry hackers. It’s also not the only cryptocurrency mining malware in town. There’s a Samba bug that attacks Linux machines, and, in a surprising twist, another form of malware that goes after Raspberry Pi devices, tiny computers that are popular among tech enthusiasts. While it may seem counterintuitive to target such a small machine, the idea is not to hijack one device but tens of thousands, as the Mirai botnet did, and harness the combined power of a “zombie army.”

Protecting Your Systems from Cryptocurrency Mining Malware

One of the reasons why Adylkuzz and similar malware are so successful is that many victims have no idea they’ve been hijacked. The symptoms of an infection are vague, consisting of general system sluggishness and a loss of access to shared network resources.

Critics of cryptocurrencies have long been calling for governments to regulate or even ban them, and WannaCry and Adylkuzz have added fuel to their arguments. However, because of the very nature of cryptocurrencies, any attempts to legislate them face a protracted, uphill battle. The best defense against cryptocurrency mining malware is to employ the same proactive cyber security measures used to defend against ransomware, data breaches, and other cyber attacks: ensure that all systems and software are up-to-date; install new manufacturer patches as soon as possible; always change manufacturer default passwords; perform regular penetration testing; continuously monitor networks for anomalies; and address the human factor by training employees on cyber security best practices.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.

A new report by Synopsys and the Ponemon Institute finds that medical device security is plagued by a lack of standards, testing, and accountability.

Healthcare organizations tend to focus their cyber security efforts on HIPAA compliance, protecting patient data, and defending against ransomware attacks like WannaCry, with scant, if any, attention paid to medical device security. A Ponemon Institute study released last week by Synopsys, Medical Device Security: An Industry Under Attack and Unprepared to Defend, paints an ominous picture regarding the cyber security of IoT devices such as smart insulin pumps, diagnostic and monitoring equipment, and even the mobile apps used to control connected devices:

• 67% of medical device manufacturers expect that their devices will be hacked within the next 12 months, but only 17% are taking “significant steps” to prevent it.
• 56% of healthcare delivery organizations (HDOs) expect a hack within the next 12 months, but only 15% are doing anything about it.
• Fewer than half (41%) of device manufacturers have an incident response plan in place in the event of a hack.
• Among HDOs, the numbers are even worse; only 22% have an incident response plan.
• Only 9% of device manufacturers and 5% of HDOs test their medical devices at least yearly. Over half of HDOs, and 43% of manufacturers, either do not test their devices at all or are “unsure if testing occurs.”

No Testing, No Standards, No Accountability: What Could Possibly Go Wrong?

One would think that, given the fact that a faulty connected medical device could result in a dead or maimed patient, these devices would be subject to strict regulations and exacting security standards.

This is not the case at all. Medical device security is no more robust than general IoT security. The respondents to the Synopsys/Ponemon study cited a complete lack of security standards, testing, and accountability for medical device security, along with intense pressure to push products to the market as soon as possible. These are the same problems that plague the overall connected devices industry. Smart watches, smart doorbells, smart toys, and even smart cars are designed for ease of use and cutting-edge features, not cyber security.

Smart medical devices are no different. The FDA does have a set of voluntary guidelines addressing medical device security, but according to the study, only 51% of manufacturers and 44% of HDOs followed them.

Medical Device Security Cannot Be Reactive

Perhaps the most horrifying finding from this already frightening report is that most device manufacturers and HDOs stated that only a “serious hacking incident” would prompt their organizations to increase their medical device security budgets. Yes, you read that correctly: The majority of players in the medical device industry are relying on reactive cyber security, waiting until a breach has actually happened – which, in this case, could mean that someone dies or is maimed – to address device vulnerabilities.

Last fall, medical device maker St. Jude Inc. announced that it was forming a medical advisory board focused specifically on medical device security. This is a positive step, but it happened only after allegations that its smart cardiac implants were vulnerable to hacking, which prompted an investigation by the FDA.

The current reactive approach to medical device security is completely unacceptable. Knowing this, the FDA has cited the cyber security of medical devices as one of its top regulatory science priorities in 2017. However, the wheels of government turn very slowly; manufacturers, HDOs, and patients cannot afford to wait for the government to step in and save the day. The healthcare industry needs to start taking the same proactive approach to cyber security that it does to disease prevention. This isn’t just about money or reputation; human lives depend on it.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.

The WannaCry ransomware attack was the end result of years of ignorance on the part of governments, private-sector firms, and the public regarding how serious cyber threats have become.

The 2016 Shadow Brokers NSA hack came home to roost in a big way last week, when a code execution vulnerability contained in the Shadow Brokers WikiLeaks dump was used to launch the largest ransomware attack in history. The WannaCry ransomware strain, also known as WannaCrypt, Wana Decryptor, and WCry, hit hundreds of thousands of computers in 150 countries before it was halted – temporarily – when a security analyst stumbled upon a “kill switch” in the code. However, even the analyst who discovered the kill switch emphasized that the fix was, indeed, temporary; reports of new variants are emerging, and the kill switch does nothing to help the armies of machines that have already been infected.

WannaCry wreaked havoc on companies in numerous industry sectors, including French car manufacturer Renault and Spanish telecommunications giant Telefonica, but perhaps the most stark illustration of the damage was what it did to Britain’s National Health Service (NHS). The Guardian reports that 45 NHS facilities were infected, forcing hospitals to redirect ambulances, postpone treatments for cancer patients, and warn patients of delays overall.

Organizations in the U.S. were fortunate; a Department of Homeland Security spokesperson told NPR that the number of WannaCry ransomware victims stateside was “very small.” But that’s only because of luck – and luck eventually runs out.

WannaCry Ransomware Took Advantage of Old, Unsupported Systems

The WannaCry ransomware nearly exclusively impacted enterprise machines, not home computers, because the latter are more likely to be running updated operating systems, and WannaCry exploits a vulnerability in Windows XP up through Windows Server 2012. Microsoft released a patch for the newer end of that range in March, but the company stopped supporting some of the older systems in the group, including Windows XP and Windows 2000, years ago. After the WannaCry attack, Microsoft took the highly unusual step of issuing an “emergency patch” for Windows XP, Windows 8, and Windows Server 2003.

As soon as WannaCry hit, the buck-passing commenced. The British media attacked the government for not sufficiently funding the NHS. Microsoft criticized the NSA for not properly securing its cyber-weaponry. Meanwhile, Microsoft itself came under fire for not issuing security updates for legacy systems that it knew were still in wide use. Security experts reiterated the age-old warnings to organizations about keeping their systems updated and engaging in proactive measures to prevent attacks like WannaCry.

Do We Have Your Attention Now?

The WannaCry ransomware attack shouldn’t have surprised anyone. Cyber security experts have been warning about large-scale attacks on critical infrastructure for years, and there have been numerous smaller-scale ransomware attacks on U.S. emergency services. The only surprising things are that it took so long for something like this to happen, and that the United States was not hit as hard as the rest of the world, particularly since preliminary evidence indicates that WannaCry may be the work of the same North Korean hackers who were behind the Sony Pictures email hack and last summer’s SWIFT network attack on a bank in Bangladesh.

American healthcare facilities are plagued with the same cyber security problems as the NHS, including antiquated legacy systems and an unwillingness on the part of organizations to invest in proactive cyber security measures. Other industries aren’t doing that much better, including the government. After all, the exploit that started all of this was stolen from an American spy agency. If the NSA cannot properly secure its systems, what does that say about everyone else?

The WannaCry attacks are the natural end result of the government, private-sector organizations, and the public engaging in reactive cyber security at best, and remaining ignorant of cyber security at worst. Mere days before WannaCry hit, the Trump Administration issued an executive order commanding the federal government to get its cyber security house in order. Private-sector organizations and, yes, individuals need to do the same. Everyone needs to be aware of the seriousness of engaging in proactive cyber security best practices and the severe potential consequences of not doing so.

Thanks to WannaCry, everyone now knows what ransomware is and what it’s capable of doing. The question is, what are we going to do with this information?

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.