Story image

Exclusive: Why NZ is particularly vulnerable to cryptomining

11 Jul 2018

Cryptomining is the latest cybersecurity threat dominating the headlines, but education and awareness are still lacking among organisations about what it is and how it’s carried out.

This type of cyberattack is particularly insidious as it’s difficult to detect and staff who are not IT savvy can often misinterpret its symptoms as typical machine wear and tear.

SecurityBrief spoke to Malwarebytes CIO and chief security officer Justin Dolly about why Kiwis are more vulnerable to cryptomining, what the current threat landscape looks like in New Zealand, and emerging threats on the horizon.

What are the latest trends in the threat landscape?  

In January, we released a report for A/NZ which referred to the fact that ransomware was still dramatically on the rise, and that was the big bad malware on the block.

Five months later and already, ransomware is falling down the charts, as far as threats go.

We’re seeing a huge increase in cryptomining.

Bad actors are moving away from ransomware, because they’re only getting about 50% efficiency from the ransomware attacks, given that only about half of people compromised by ransomware actually pay the ransom.

So moving to something like cryptomining means they get almost a 100% return on their investment because they can profit from everyone who visits the malicious site. 

I think New Zealand in particular, being big fans of cryptocurrency and having adopted it at a quick pace versus the rest of the world, means that cryptojacking and the mining attacks are taking a pretty big foothold here in New Zealand.

From our standpoint, if you’re running something intelligent on your endpoint that disables these threats and proactively blocks them and makes sure that your business, your enterprise and your customers are being kept safe in a proactive manner as opposed to having to rectify it later and remediate. 

In the second half of 2017, Malwarebytes blocked over 100 million cryptojacking attempts, so it is a big problem.

Why does NZ have a higher-than-average adoption rate of cryptocurrencies?

Normally, adoption of cryptocurrencies has been led by the bad actors, but I think the level of adoption of cryptocurrencies in general has been faster than other financial options in the past.

One of the things that’s interesting about New Zealand is that it’s a nation of business owners as opposed to a nation of large corporations and big companies.

That’s why a lot of technology decisions happen here.

People who are actively running things, they know what’s going on, they know how the business functions, as opposed to large corporations so saving money and being efficient, which people are able to do, are really important to business owners.

Cryptocurrency is easy to use - not frictionless, but they're not difficult to understand, you can adopt it pretty well, it's similar to the adoption of managed service providers (MSPs) to delivering services to a lot of the SMBs here in New Zealand.

Is there a lack of awareness among businesses about the risk of cryptomining attacks?

It's difficult to stay up-to-date on the latest developments in cryptomining attacks and emerging attack vectors.

I think that one of the ways that would allow businesses to have more awareness around it is, there is a lack of legislation around these things - it happens all the time with an emerging technology.

Legislation and oversight, and even a penalty for misuse or from bad events, those things tend to come later.

I know that in New Zealand, there are some conversations happening, and various compliance initiatives.

What is the security risk that the proliferation of Internet of Things (IoT) devices present?

The biggest challenge with IoT is that there's no structure surrounding what their operating systems look like, which components should they be using, whether there's any security in place.

Their only mandate from the manufacturers is, "I want a very lightweight operating system that requires minimal resources to be able to function, and it needs to be tiny.” 

So when something has to be lightweight, and small, and has to just deliver a number of functions, security is not the first thing you're going to work on.

These operating systems are disparate - they're going to be different flavours of Linux, potentially other operating systems.

So there's no low tide as far as sending out what's good and what's not and what should or shouldn't be there.

The industry is not waiting for us to figure this out, it's just going right ahead.

Many of them are storing credentials within the operating system, and they're stored in clear text because the hashing function would take up more memory than it necessarily had.

Nearly all the IoT devices function using Wi-Fi as a transport mechanism, so they usually need to have the Wi-Fi key for your network, whether that's in your business or in your home, so if any of those IoT devices are compromised, at the very least, it has your Wi-Fi credentials, or the key that makes it available to join your Wi-Fi network, and so you really only have to compromise one of these smart devices, and you basically have the whole network.

It's difficult for us to determine with 100% confidence the way to tackle that threat - I sense it will probably be something at the gateway of your Wi-Fi network, and I know that there are some companies who are thinking about a piece of hardware that you could put in your home network.

The attacks are only going to increase, as people buy new technology, just as consumers and businesses buy more technology, this IoT capability is going to be brought into their enterprise or into their home, thereby increasing the risk. 

Secureworks Magic Quadrant Leader for Security Services
This is the 11th time Secureworks has been positioned as a Leader in the Gartner Magic Quadrant for Managed Security Services, Worldwide.
Google puts Huawei on the Android naughty list
Google has apparently suspended Huawei’s licence to use the full Android platform, according to media reports.
Using data science to improve threat prevention
With a large amount of good quality data and strong algorithms, companies can develop highly effective protective measures.
General staff don’t get tech jargon - expert says time to ditch it
There's a serious gap between IT pros and general staff, and this expert says it's on the people in IT to bridge it.
ZombieLoad: Another batch of flaws affect Intel chips
“This flaw can be weaponised in highly targeted attacks that would normally require system-wide privileges or a complete subversion of the operating system."
Forget endpoints—it’s time to secure people instead
Security used to be much simpler: employees would log in to their PC at the beginning of the working day and log off at the end. That PC wasn’t going anywhere, as it was way too heavy to lug around.
DimData: Fear finally setting in amongst vulnerable orgs
New data ranking the ‘cybermaturity’ of organisations reveals the most commonly targeted sectors are also the most prepared to deal with the ever-evolving threat landscape.
IXUP goes "post-quantum" with security tech upgrade
The secure analytics company has also partnered with Deloitte as a reseller, and launched a SaaS offering on Microsoft Azure.