Computer scientists have developed a new artificial intelligence (AI) system that may be able to identify malicious codes that hijack supercomputers to mine for cryptocurrency such as Bitcoin and Monero.
“Based on recent computer break-ins in Europe and elsewhere, this type of software watchdog will soon be crucial to prevent cryptocurrency miners from hacking into high-performance computing facilities and stealing precious computing resources,” said Gopinath Chennupati, a researcher at Los Alamos National Laboratory and co-author of a new paper in the journal IEEE Access.
“Our deep learning artificial intelligence model is designed to detect the abusive use of supercomputers specifically for the purpose of cryptocurrency mining.”
Detect cryptocurrency miners
Legitimate cryptocurrency miners often assemble enormous computer arrays dedicated to digging up the digital cash. Less savory miners have found they can strike it rich by hijacking supercomputers, provided they can keep their efforts hidden.
The new AI system is designed to catch them in the act by comparing programs based on graphs, which are like fingerprints for software.
All programs can be represented by graphs that consist of nodes linked by lines, loops, or jumps. Much as human criminals can be caught by comparing the whorls and arcs on their fingertips to records in a fingerprint database, the new AI system compares the contours in a program’s flow-control graph to a catalog of graphs for programs that are allowed to run on a given computer.
Instead of finding a match to a known criminal program, however, the system checks to determine whether a graph is among those that identify programs that are supposed to be running on the system.
How reliable is it?
The researchers tested their system by comparing a known, benign code to an abusive, Bitcoin mining code. They found that their system identified the illicit mining operation much quicker and more reliably than conventional, non-AI analyses.
Because the approach relies on graph comparisons, it cannot be fooled by common techniques that illicit cryptocurrency miners use to disguise their codes, such as including obfuscating variables and comments intended to make the codes look like legitimate programming.
While this graph-based approach may not offer a completely foolproof solution for all scenarios, it significantly expands the set of effective approaches for cyberdetectives to use in their ongoing efforts to stifle cybercriminals.
Based on recent computer break-ins, such software watchdogs will soon be crucial to prevent cryptocurrency miners from hacking into high-performance computing facilities and stealing precious computing resources.
A Trend Micro research is warning consumers of a major new wave of attacks attempting to compromise their home routers for use in IoT botnets. The report urges users to take action to stop their devices from enabling this criminal activity.
The importance of home routers for IoT botnets
There has been a recent spike in attacks targeting and leveraging routers, particularly around Q4 2019. This research indicates increased abuse of these devices will continue as attackers are able to easily monetize these infections in secondary attacks.
“With a large majority of the population currently reliant on home networks for their work and studies, what’s happening to your router has never been more important,” said Jon Clay, director of global threat communications for Trend Micro.
“Cybercriminals know that a vast majority of home routers are insecure with default credentials and have ramped up attacks on a massive scale. For the home user, that’s hijacking their bandwidth and slowing down their network. For the businesses being targeted by secondary attacks, these botnets can totally take down a website, as we’ve seen in past high-profile attacks.”
Force log-in attempts against routers increasing
The research revealed an increase from October 2019 onwards in brute force log-in attempts against routers, in which attackers use automated software to try common password combinations.
The number of attempts increased nearly tenfold, from around 23 million in September to nearly 249 million attempts in December 2019. As recently as March 2020, Trend Micro recorded almost 194 million brute force logins.
Another indicator that the scale of this threat has increased is devices attempting to open telnet sessions with other IoT devices. Because telnet is unencrypted, it’s favored by attackers – or their botnets – as a way to probe for user credentials.
At its peak, in mid-March 2020, nearly 16,000 devices attempted to open telnet sessions with other IoT devices in a single week.
Cybercriminals are competing with each other
This trend is concerning for several reasons. Cybercriminals are competing with each other to compromise as many routers as possible so they can be conscripted into botnets. These are then sold on underground sites either to launch DDoS attacks, or as a way to anonymize other attacks such as click fraud, data theft and account takeover.
Competition is so fierce that criminals are known to uninstall any malware they find on targeted routers, booting off their rivals so they can claim complete control over the device.
For the home user, a compromised router is likely to suffer performance issues. If attacks are subsequently launched from that device, their IP address may also be blacklisted – possibly implicating them in criminal activity and potentially cutting them off from key parts of the internet, and even corporate networks.
As explained in the report, there’s a thriving black market in botnet malware and botnets-for-hire. Although any IoT device could be compromised and leveraged in a botnet, routers are of particular interest because they are easily accessible and directly connected to the internet.
Recommendations for home users
- Make sure you use a strong password. Change it from time to time.
- Make sure the router is running the latest firmware.
- Check logs to find behavior that doesn’t make sense for the network.
- Only allow logins to the router from the local network.
There are significant shortfalls in enterprise domain security practices, putting organizations’ internet-facing digital assets at risk to threats, including domain name and DNS hijacking, phishing, and other fraudulent activity, a CSC report reveals.
According to the report, 83% of Global 2000 organizations have not adopted basic domain security measures such as registry lock, which puts them at risk for domain name hijacking.
The report indicates a wide industry disparity in domain security maturity with information technology and media and entertainment industries more likely to embrace available security controls, while industries such as materials and real estate trail behind.
“These security shortfalls are the direct result of not executing proper domain security techniques. Domain security cannot be an afterthought, and there needs to be a conscious effort to make this an intentional and critical part of every company’s overall cyber security posture, especially as criminals evolve their attack methods,” says Mark Calandra, executive vice president for CSC DBS.
“As companies move to more online business models, it’s essential to use defense-in-depth practices to proactively manage, secure, and defend the foundational internet-facing components of your digital brand presence.”
- Four out of five Global 2000 companies are severely at risk and exposed to domain name and DNS hijacking due to a lack of registry locks. Unlocked domains are vulnerable to social engineering tactics, which can lead to unauthorized DNS changes and domain name hijacking.
- 53% of the Forbes Global 2000 use retail-grade domain registrars, putting them at greater risk for phishing, social engineering, and attacks while complicating compliance demands. The management of the overall domain name portfolio by a reputable corporate registrar versus a retail registrar will make the adoption of domain security standards much easier to implement and monitor.
- Only 20% of Global 2000 companies use enterprise-grade DNS hosting. Lack of DNS hosting redundancy and using non-enterprise-level DNS providers poses potential security threats like resiliency to DDoS attacks, as well as down time, and revenue loss.
- 97% of the Global 2000 don’t use DNS security extensions (DNSSEC), which means the majority of companies are prone to cache poisoning attacks. Lack of deployment of DNSSEC leads to vulnerabilities in the DNS, which could include an attacker hijacking any step of the DNS lookup process.
- Domain-based message authentication, reporting, and conformance (DMARC) use is only at 39% for the Global 2000 companies. DMARC is an email validation system designed to protect a company’s email domain from being used for email spoofing, phishing scams, and other cyber crime.