CISO MAG got in touch with Amit Jaju, a Senior Managing Director with Ankura Consulting, to discuss these challenges.  It was startling to learn from Amit that global temperatures will increase by two degrees by 2024 due to crypto mining activities. You will be amazed to learn how much power is consumed for every cryptocurrency transaction when the blockchain ledgers are updated. Amit offered some suggestions for crypto exchanges during our discussion to protect user wallets. He also suggests what regulators and governments can do to protect consumers.

Amit leads the Data & Technology Segment at Ankura Consulting in India. He has over 17 years of experience in forensic technology consulting covering data analytics, cyber, e-discovery, software licensing, and information governance. He has created market-leading solutions around financial crime, cyber incident response, analytics, and software licensing and delivered engagements for global and Indian clients in over 20 countries. His experience spans multiple sectors, including Financial Services, Information Technology, Pharmaceuticals, and Media & Entertainment.

He has led many complex global data analytics engagements, including implementing and managing enterprise-wide fraud and AML monitoring solutions for banks and implementing terrorism monitoring over the internet for defense services. He has delivered sanctions diagnostics, and investigation engagements across Europe and the Middle East for large US sanctions matters and has developed a sanctions analytics platform to deliver end-to-end sanctions diagnostics and monitoring.

Before joining Ankura, Amit was a Senior Managing Director and India head for FTI Consulting, Partner with Ernst & Young for nine years as Head of Forensic Technology in India and Markets. He was responsible for setting up and leading Forensic Technology in EMEIA. Before EY, Amit was the Forensic Technology lead at KPMG in India for five years. Previous to joining the Big Four, Amit worked with a boutique information security consulting firm.

Edited excerpts from the interview follow:

We have seen a lot of illegal crypto mining activities around the world in countries like Iran, Venezuela, Malaysia, the UK, Kazakhstan, and the U.S. Tremendous computational power is required for Bitcoin mining, which even leads to power outages directly impacting electricity prices. Are there any studies to back this? What impact will this have on the environment and resources like power?

That is a very important point, and it is getting missed out in many conversations around crypto. I think this is one of the most important points on adopting  crypto and the blockchain itself. A few months ago, I made a LinkedIn post to initiate a conversation with my network on this aspect. One study said that just with crypto mining, the global temperature will shoot up by two degrees centigrade by 2024. That is two degrees in two years, and it is a significant increase.

A Cambridge Institute study says that around 0.5% of global electricity production could be utilized by crypto mining. That is roughly the annual energy utilization of small countries like Sweden or Malaysia. That is how bad it is. And when you look at carbon emission, we have some data points, but of course, it needs further verification. I see a trend in terms of where all the numbers are. So, just for larger countries where a lot of this mining is happening, for instance, in China, they say that 130 million metric tons of CO₂ is the net contribution.

I talked to a friend of mine running a carbon credit trading company. It is a listed company. I was surprised by the numbers he gave me. And very few know about these numbers. Look at it in terms of a single cryptocurrency transaction. You are running complex mathematical calculations to validate that transaction. This requires tremendous computational power, which consumes a lot of power. In terms of energy consumption, if you do a Bitcoin transaction, it uses the equivalent power to process two million standard credit card transactions. That is the energy it takes to watch up to 160,000 hours of YouTube videos. So, imagine YouTube servers running and consuming all that energy. You have to watch 160,000 hours of video for one Bitcoin transaction because you need certain numbers of confirmations to validate a transaction at the end of it. This transaction will replicate across all ledgers at the end of the day. So, by the time that replication happens, that is the amount of energy it will use. In simpler terms, it is equivalent to 70 days of the total energy that a typical U.S. household will consume for one Bitcoin transaction.

What impact could this have on the energy resources of a nation? How do governments address this?

I think we need to at least start talking about the problem. Awareness related to the environmental impact of cryptocurrency and crypto mining is not at the forefront. We need to discuss it, get different experts to provide their opinions, and formulate some policies. You must create a framework around it and involve the experts. For example, if you need to identify illegal crypto miners who use hundreds or thousands of machines for illegal crypto mining, you need to use data analytics for that. In Venezuela, for instance, they have a history of illegal miners, and because of this, they had a power crisis. So, they used data analytics to identify 100 miners and take legal action.

We need regulation and then analytics. I know India has a draft bill on cryptocurrencies. It will be interesting to see whether crypto mining is addressed in it — or is it just about trading cryptocurrencies, because mining itself is an important piece. This is especially true for India, where most of our power gets generated from non-renewable sources. Today, we are fast moving towards renewable sources. And I have seen that a lot of miners go towards colder regions. That is because less cooling is required, and it is a very thin margin kind of enterprise. So, if you can reduce your cooling bill, that is a lot of savings. It is generally concentrated towards colder regions of the world where they do that. I think governments need to proactively address this through various means.

Cryptocurrency Exchanges are the new attack targets for hackers. A recent example is BitMart, which lost approx. $150mn in cryptocurrency assets. Attackers had stolen a private key and compromised two of the exchange’s hot wallets on the Ethereum (ETH) blockchain and the Binance smart chain (BSC), making off with approximately $150 million worth of assets; in a “large-scale security breach.”

What can the exchanges do to protect themselves and their users? What do users need to do to protect their Hot Wallets? Since these are not centrally regulated, what kind of legal provisions are in place to enable the exchanges to penalize attackers when they are traced? We have seen how the big exchanges were brought down completely, and some went out of business overnight. And that is the weak link; crypto exchanges do not make only trades, but they are quasi custodians of your wallet, and they have access to your wallet because your private key is stored with them. It is on the blockchain, though. It is impossible to offer 100% protection for exchanges, because cyber is an area where you always have to plan for contingencies.

But I am reading more about the zero-trust model, which I think is valuable for exchanges. It is often an insider attack, or the attack vector is within the company, which gets exploited. It could be an employee or vendor who has access to maintenance. Or perhaps a developer writing the code for the trading platform has intentionally created some backdoors. There are incidents where ransomware hackers pay employees a commission of up to 20% to run a file on the server. You can never rule out insider involvement.

To address this, you need to look at independent custodians; for our capital market exchanges, we have CDSL (Central Depository Services Limited) and NSDL (National Security Depository Limited) as independent custodians of our DMAT accounts. That is where our shares reside. So, these independent custodians will ask us for an OTP verification for the transaction – and not the exchanges. Similarly, we could have independent custodian firms as custodians of the wallets. There could be a model where the offline wallets are with the end customer. And the offline wallet could automatically sync with the exchanges. So, the exchanges are not keeping your coins or tokens.

The offline wallet (cold wallet) could be backed up to a USB pen drive, laptop, or phone. It could be on a piece of paper. You could print out certain words, and that is your coin. So having a tiered approach to storing these coins is more secure. On the other hand, having all your coins with the exchange is risky because they also have your private key.

So, to strengthen their defenses, a zero-trust model with independent custodians, plus a hybrid wallet model, also de-risks the exchanges. Of course, that will result in some disruption to their business models. For example, some exchanges deposit your coins for an annual percentage return. This may not be possible in such cases, but the risk is far higher for an exchange that has your wallets online with them (hot wallets).

Are you suggesting a mix of cold and hot wallets? What else could be done to ensure resiliency and minimize downtime due to code vulnerabilities being exploited?

Yes, hybrid wallets. You have the wallet at the exchange keeping the user data, but then it gets transferred T +1 or end of the day to the user’s wallet (cold wallet), which resides with them offline. Both cold and hot wallets could be used during a trading session.

I think trading platform resilience is very important. That is always the case, with capital market exchanges or crypto exchanges. Trading platforms are high-frequency platforms, so you have millions of texts transmitted in one second, resulting in an order getting placed. The coding of that must be robust to facilitate the performance. But at the same time, looking at it from a security perspective is very important. It is about making sure every source code or application developed is reviewed thoroughly by multiple parties. Changes should be tracked from a security perspective, not just a functionality perspective. If something goes down, they should revert to the older version to ensure that the exchange runs. Crypto exchanges run 24×7 unlike our captive market exchanges, which shut down in the afternoon or the evening. Market exchanges have time for maintenance and upgrades. But that is more difficult for crypto exchanges since they run 24×7. So, they must have backup environments. And it’s slightly complicated, but by ensuring that the trading platform is thoroughly checked, they can provide defenses to implement two-factor at every stage. And when you implement a zero-trust model, a lot of that gets addressed.

What do you see as the big trends coming in 2022? What are the opportunities that exist?

I closely monitor the developments around quantum computing. Some companies are very close to building a retail version of a quantum computer. Whenever such a computer is available, it will transform this space overnight.

I also look at the zero-trust model and how it is evolving because I think that is a very good model to address all the challenges we face with our existing perimeter security and access control model.

I am also looking at the personal data protection regulation and the new challenges and opportunities that it will create. Compliance is a challenge for corporations trying to protect their data assets. It is also about individuals knowing their privacy rights and options if that data gets stolen or compromised.

There are opportunities too. The multinationals will have to build an infrastructure within India to address all the data-related challenges within the country (data residency). There is a huge demand for workforce and technology components, which India can address because we have a lot of talent. But we must see how different sectors adopt it. We already see financial services adapting to data localization, even though some companies take longer. I am seeing this with other industries such as pharmaceutical and life sciences, from data privacy and data confidentiality perspectives. Here they will focus more on protecting their IP and their data within the country. I see the measures they must put in place because these companies also deal with sensitive personal information of many people.

Take hospitals, for instance. Many U.S. hospitals have been impacted by ransomware in the past two years because they have sensitive personal data. Hackers know that they will not benefit much if they attack a steel company. But hospitals have critical data on which they rely for their operations, so the risks are higher.

In terms of technologies, we will see more use cases for blockchain. It will be used for transmitting documents and maintaining integrity, which is crucial.

Cybersecurity and forensics will also use blockchain. If you have an evidence chain of custody logs, how do you maintain the integrity and authenticity of that data? This is most important when something goes wrong. The insider threat is an area where companies will not trust a user because they are employees. They have to look at a customer, a vendor, or an employee, and observe how they behave. Based on that, they will profile the person and then create rules and access controls around the person’s behavior. Machine learning will play a key role because it is a rule-based analysis, and it cannot be done manually. All of this will be machine learning-based with human input for authorization. We will see more use of machine learning and artificial intelligence in cybersecurity. This is a space to watch out for.

About the Interviewer

Brian Pereira is the Editor-in-Chief of CISO MAG. He has been writing on business technology concepts for the past 27 years and has achieved basic certifications in cloud computing (IBM) and cybersecurity (EC-Council).

More stories from Brian

The post ‘Illegal Crypto Mining is a Huge Drain on a Nation’s Power Resources’ appeared first on CISO MAG | Cyber Security Magazine.

Security researchers from Palo Alto have recently uncovered a cryptocurrency-mining malware dubbed “WatchDog” targeting Monero cryptocurrency for more than two years.

WatchDog is one of the largest and longest-lasting Monero cryptojacking operations known to exist. It was found that the WatchDog mining operation is active since January 27, 2019, and its threat actors harvested over 209 Monero (XMR), valued to be around $32,056. They compromised and exploited around 476 Windows and Linux systems for mining Monero cryptocurrency.

The WatchDog Infection

Researchers found that the WatchDog operation uses Go binaries to perform its mining operations across different operating systems using the same binaries. They have identified 18 root IP endpoints and seven malicious domains, which serve at least 125 malicious URL addresses used to download its toolset.

“The WatchDog miner is composed of a three-part Go Language binary set and a bash or PowerShell script file. The binaries perform specific functionality, one of which emulates the Linux Watchdog daemon functionality by ensuring that the mining process does not hang, overload, or terminate unexpectedly. The second Go binary downloads a configurable list of IP addresses net ranges before providing the functionality of targeted exploitation operations of identified NIX or Windows systems discovered during the scanning operation. Finally, the third Go binary script will initiate a mining operation on either Windows or NIX operating systems (OS) using custom configurations from the initiated bash or PowerShell script,” the researchers said.

Reports also suggest that malicious cryptojacking operations are currently estimated to affect 23% of cloud environments, up from 8% in 2018. This increase is primarily caused by the meteoric rise in cryptocurrencies’ valuation.

What is Cryptojacking?

In cryptojacking, cybercriminals perform malicious crypto-mining operations on systems that are not owned by the mining operators. Malicious crypto-mining happens when threat actors compromise computers, laptops, and mobile devices by deploying malicious software to mine or steal cryptocurrencies owned by others.

The post WatchDog Cryptojacking Campaign Running for Over Two Years appeared first on CISO MAG | Cyber Security Magazine.

While the Lemon Duck operators are active since the end of December 2018, the researchers noticed an increase in its activity at the end of August 2020. The exploits originated in Asia, with countries including the Philippines, Vietnam, and India. Some malicious activities have been recorded in Iran and Egypt and there are infected devices in the U.S. and Europe as well.

How Lemon Duck Operates

Cisco’s researchers revealed that Lemon Duck actors use over 12 independent attack vectors to distribute its malware payload. This includes compromising Windows devices by exploiting the BlueKeep vulnerability that exists in some versions of Windows. In Linux devices, attackers target vulnerabilities in Redis and YARN Hadoop.

They also send malicious attachments and spam emails to spread malware. Once the malware is downloaded on the victim’s device, it installs a PowerShell script that disables the system’s security feature to escape detection. “Its final delivered payload is a variant of the Monero cryptocurrency mining software XMR. It is one of the more complex mining botnets with several interesting tricks up its sleeve. Although it has been documented before, we have recently seen a resurgence in the number of DNS requests connected with its command and control and mining servers,” Cisco researchers said.

“Defenders need to be constantly vigilant and monitor the behavior of systems within their network to spot new resource-stealing threats such as cryptominers. Cryptocurrency-mining botnets can be costly in terms of the stolen computing cycles and power consumption costs. While organizations need to be focused on protecting their most valuable assets, they should not ignore threats that are not particularly targeted toward their infrastructure,” the Cisco researchers added.

The post Lemon Duck Quacks Again with its Cryptocurrency-Mining Botnet appeared first on CISO MAG | Cyber Security Magazine.

How it Works

The AWS CLI credentials are stored in an unencrypted file at ~/.aws/credentials. The malware steals this information by exfiltrating the .credentials file along with the additional configuration details stored in the .config file at ~/.aws/config on the attackers’ server. To test the modus operandi, the researchers sent credentials created by CanaryTokens.org to the TNT group. However, these have not been used yet. This indicates that TNT manually assesses and controls the use of credentials or have an automated function that is currently offline.

The Extra Baggage

On the infected systems, the malware searches local credentials for exfiltration and scans the Internet for misconfigured Docker platforms to enable lateral spread. Post exploitation, the worm deploys the XMRig mining tool to mine Monero cryptocurrency. The researchers said that one of the campaigns has already earned TNT about 3 XMR which is worth $300.

Once the system is compromised, the worm also deploys some other payloads and offensive security tools, such as punk.py (SSH post-exploitation tool), a log cleaning tool, Diamorphine rootkit, and the Tsunami IRC backdoor.

Closing Notes

The research team tracking TNT’s movement spotted a link to the malware-hosting domain teamtnt[.]red, which features a homepage titled “TeamTNT RedTeamPentesting.”

The TNT worm contains code copied from a previously known worm, Kinsing. The researchers believe that most cryptomining worms inherit their code from their predecessors, thus, we need to be vigilant in the future as such threats may include the ability to steal AWS credentials as well.

The post TNT’s Cryptomining Worm Built to Steal AWS Credentials appeared first on CISO MAG | Cyber Security Magazine.

Reports suggest, fake plugin names like “initiatorseo” or “updrat123” were used by hackers to gain and maintain backdoor access with compromised websites. It was observed that the internal code of these fake plugins differs from each other, but they possess a similar structure and header comments from the popular backup/restore plugin UpdraftPlus. The researchers stated that, “The metadata comments within these fake plugins include copies from version 1.16.16 of UpdraftPlus, which was released on July 23, 2019.”

These fake plugins are created easily by hackers with the help of readily available resources or by adding corrupted web shells into the source code of the original plugin. The reason why these fake WordPress plugins remain hidden to the user’s plain sight is because they do not affect a user’s (WordPress) Dashboard unless they are using browsers with specific User-Agent strings. The attack on a website is carried out by these plugins once they establish a backdoor entry. Hackers are intimated about the servers’ GET request, to which they respond with a POST request consisting of infected files. These malicious files or web shells are then infused in the websites’ root directories. Researchers also mentioned that, “compromised websites may be used for malicious activity that is completely invisible from outside, including DDoS and brute-force attacks, mailing tons of spam, or crypto mining.

An earlier independent study done by WPScan stated that WordPress plugins are the biggest source of vulnerabilities and data breaches in WordPress. It accounts to 54 percent of the global WordPress vulnerabilities count.

The post WordPress Websites Infected with Fake Plugins appeared first on CISO MAG | Cyber Security Magazine.