Cryptomining is the latest cybersecurity threat dominating the headlines, but education and awareness are still lacking among organisations about what it is and how it’s carried out.
This type of cyberattack is particularly insidious as it’s difficult to detect and staff who are not IT savvy can often misinterpret its symptoms as typical machine wear and tear.
SecurityBrief spoke to Malwarebytes CIO and chief security officer Justin Dolly about why Kiwis are more vulnerable to cryptomining, what the current threat landscape looks like in New Zealand, and emerging threats on the horizon.
In January, we released a report for A/NZ which referred to the fact that ransomware was still dramatically on the rise, and that was the big bad malware on the block.
Five months later and already, ransomware is falling down the charts, as far as threats go.
We’re seeing a huge increase in cryptomining.
Bad actors are moving away from ransomware, because they’re only getting about 50% efficiency from the ransomware attacks, given that only about half of people compromised by ransomware actually pay the ransom.
So moving to something like cryptomining means they get almost a 100% return on their investment because they can profit from everyone who visits the malicious site.
I think New Zealand in particular, being big fans of cryptocurrency and having adopted it at a quick pace versus the rest of the world, means that cryptojacking and the mining attacks are taking a pretty big foothold here in New Zealand.
From our standpoint, if you’re running something intelligent on your endpoint that disables these threats and proactively blocks them and makes sure that your business, your enterprise and your customers are being kept safe in a proactive manner as opposed to having to rectify it later and remediate.
In the second half of 2017, Malwarebytes blocked over 100 million cryptojacking attempts, so it is a big problem.
Normally, adoption of cryptocurrencies has been led by the bad actors, but I think the level of adoption of cryptocurrencies in general has been faster than other financial options in the past.
One of the things that’s interesting about New Zealand is that it’s a nation of business owners as opposed to a nation of large corporations and big companies.
That’s why a lot of technology decisions happen here.
People who are actively running things, they know what’s going on, they know how the business functions, as opposed to large corporations so saving money and being efficient, which people are able to do, are really important to business owners.
Cryptocurrency is easy to use - not frictionless, but they're not difficult to understand, you can adopt it pretty well, it's similar to the adoption of managed service providers (MSPs) to delivering services to a lot of the SMBs here in New Zealand.
It's difficult to stay up-to-date on the latest developments in cryptomining attacks and emerging attack vectors.
I think that one of the ways that would allow businesses to have more awareness around it is, there is a lack of legislation around these things - it happens all the time with an emerging technology.
Legislation and oversight, and even a penalty for misuse or from bad events, those things tend to come later.
I know that in New Zealand, there are some conversations happening, and various compliance initiatives.
The biggest challenge with IoT is that there's no structure surrounding what their operating systems look like, which components should they be using, whether there's any security in place.
Their only mandate from the manufacturers is, "I want a very lightweight operating system that requires minimal resources to be able to function, and it needs to be tiny.”
So when something has to be lightweight, and small, and has to just deliver a number of functions, security is not the first thing you're going to work on.
These operating systems are disparate - they're going to be different flavours of Linux, potentially other operating systems.
So there's no low tide as far as sending out what's good and what's not and what should or shouldn't be there.
The industry is not waiting for us to figure this out, it's just going right ahead.
Many of them are storing credentials within the operating system, and they're stored in clear text because the hashing function would take up more memory than it necessarily had.
Nearly all the IoT devices function using Wi-Fi as a transport mechanism, so they usually need to have the Wi-Fi key for your network, whether that's in your business or in your home, so if any of those IoT devices are compromised, at the very least, it has your Wi-Fi credentials, or the key that makes it available to join your Wi-Fi network, and so you really only have to compromise one of these smart devices, and you basically have the whole network.
It's difficult for us to determine with 100% confidence the way to tackle that threat - I sense it will probably be something at the gateway of your Wi-Fi network, and I know that there are some companies who are thinking about a piece of hardware that you could put in your home network.
The attacks are only going to increase, as people buy new technology, just as consumers and businesses buy more technology, this IoT capability is going to be brought into their enterprise or into their home, thereby increasing the risk.