News Releases3 min read

Carbon Black Threat Analysis Unit (TAU) Uncovers Significant Evolution of Popular Cryptomining Campaign Affecting More than 500,000 Computers

Dubbed “Access Mining,” TAU’s discovery demonstrates how cryptomining malware has been enhanced to steal system access information for possible sale on the dark web.

By some estimates, attackers could theoretically pull in $1.6 million annually by leveraging this attack model, which began about two years ago due to cryptocurrency market fluctuations and high availability of open source attack tools.

LAS VEGAS, Aug. 07, 2019 (GLOBE NEWSWIRE) — — BLACK HAT USA — Carbon Black (NASDAQ: CBLK), a leader in cloud-native endpoint protection, today released a threat report outlining how a well-known cryptomining campaign has been enhanced to steal system access information for possible sale on the dark web.
_________________
Click here to download the full report from Carbon Black
_________________

Dubbed “Access Mining” by Carbon Black researchers, this particular attack stands to affect more than 500,000 computers around the world. The methods used could pave the way for more dangerous and far-reaching attacks as threats considered lower priority can open the door for more advanced, targeted attacks that can be sold to the highest bidder.

The discovery was made after the CB ThreatSight team alerted Carbon Black’s TAU about unusual behavior seen across a handful of endpoints. The ensuing investigation revealed sophisticated, multi-stage malware that was sending detailed system metadata to a network of hijacked web servers, presumably for the purposes of resale on one (or many) remote access marketplaces across the dark web.

Carbon Black TAU researchers Greg Foss (@Heinzarelli) and Marina Liang (@51Bmarina) presented their research in a report released today: “Access Mining: How a Prominent Cryptomining Botnet is Paving the Way for a Lucrative and Illicit Revenue Model.”

The duo will also be presenting their results live at the Black Hat USA 2019 conference in Las Vegas on Thursday, August 8 at 1:20 p.m. PT in Business Hall Theater A.

“Access Mining is a tactic where an attacker leverages the footprint and distribution of commodity malware, in this case a cryptominer, using it to mask a hidden agenda of selling system access to targeted machines on the dark web,” the researchers said. “This discovery indicates a bigger trend of commodity malware evolving to mask a darker purpose and will likely catalyze a change in the way cybersecurity professionals classify, investigate and protect themselves from threats.”

Among the report’s key findings:

At least 500,000 machines affected

Victims have been predominantly located in Asia Pacific, Russia and Eastern Europe. 

Threat actors are increasingly using repurposed tools, modified exploits and stolen infrastructure

In previous campaigns, this threat actor used a modified version of XMRig to perform Monero mining. In addition to the modified XMRig, our research showed that the group now uses readily available malware and open source tooling, such as Mimikatz and EternalBlue, which have been modified for purposes to pivot from infected systems and expand their campaign’s reach.
_________________
Click here to download the full report from Carbon Black 
_________________

Newly uncovered link between Smominru and MyKings

This investigation highlights an unexpected link between Smominru cryptomining campaign and the MyKings botnet, which is outlined in the full report. 

Rapid evolution thanks to open source exploits

Modified versions of Cacls, XMRig and EternalBlue were used in this campaign. Obtaining the bulk of the code via open source sites like GitHub likely sped up the innovation to Access Mining, the researchers found. 
_________________
Click here to download the full report from Carbon Black 
_________________

Combining commodity malware with access-for-sale is lucrative at scale

The business model for Access Mining typically combines a profit stream from cryptomining with a profit stream from selling system access. Both can be highly lucrative (from some estimates on the latest discoveries, profit can be as much as $1.6 million annually) if done at scale. 
_________________
Click here to download the full report from Carbon Black 
_________________

“This discovery demonstrates how virtually any company could be leveraged in a targeted attack—even if that company lacks a worldwide brand, known intellectual property
assets, or a Fortune 1000 listing,” the researchers said. “Access Mining represents a scalable and economical approach for an adversary to find valuable targets.”
_________________
Attending Black Hat USA? Make sure to stop by our Booth (#522 in Shoreline Hall) to learn how Carbon Black’s cloud-native endpoint protection platform (EPP) is transforming endpoint security through data and analytics. 

https://www.carbonblack.com/company/events/black-hat-2019/

_________________

About Carbon Black

Carbon Black (NASDAQ: CBLK) is a leader in cloud-native endpoint protection dedicated to keeping the world safe from cyberattacks. The CB Predictive Security Cloud® (PSC) consolidates endpoint protection and IT operations into an endpoint protection platform (EPP) that prevents advanced threats, provides actionable insight and enables businesses of all sizes to simplify operations. By analyzing billions of security events per day across the globe, Carbon Black has key insights into attackers’ behaviors, enabling customers to detect, respond to and stop emerging attacks.

More than 5,600 global customers, including approximately one third of the Fortune 100, trust Carbon Black to protect their organizations from cyberattacks. The company’s partner ecosystem features more than 500 MSSPs, VARs, distributors and technology integrations, as well as many of the world’s leading IR firms, who use Carbon Black’s technology in more than 500 breach investigations per year.

Carbon Black CB ThreatSight and CB Predictive Security Cloud are registered trademarks or trademarks of Carbon Black, Inc. in the United States and/or other jurisdictions.

Contact
Ryan Murphy, Carbon Black
Director of Global Communications
917-693-2788
rmurphy@carbonblack.com