![](\"https:\/\/media.wired.com\/photos\/5a7e4c31263579570b6bfb15\/master\/pass\/cryptojacking_waterwaste.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Lily Hay Newman| Date: Mon, 12 Feb 2018 17:09:20 +0000<\/strong><\/p>\n The rise of cryptojacking<\/a>\u2014which co-opts your PC or mobile device to illicitly mine cryptocurrency when you visit an infected site\u2014has fueled mining's increasing appeal<\/a>. But as attackers have expanded their tools to slyly outsource the number of devices, processing power, and electricity powering their mining operations, they've moved beyond the browser in potentially dangerous ways.<\/p>\n On Thursday, the critical infrastructure security firm Radiflow announced that it had discovered cryptocurrency mining malware in the operational technology network (which does monitoring and control) of a water utility in Europe\u2014the first known instance of mining malware being used against an industrial control system.<\/p>\n Radiflow is still assessing the extent of the impact, but says that the attack had a \u201csignificant impact\u201d on systems. The researchers note that the malware was built to run quietly in the background, using as much processing power as it could to mine the cryptocurrency Monero without overwhelming the system and creating obvious problems. The miner was also designed to detect and even disable security scanners and other defense tools that might flag it. Such a malware attack increases processor and network bandwidth usage, which can cause industrial control applications to hang, pause, and even crash\u2014potentially degrading an operator\u2019s ability to manage a plant.<\/p>\n "I'm aware of the danger of [malware miners] being on industrial control systems though I've never seen one in the wild,\u201d says Marco Cardacci, a consultant for the firm RedTeam Security, which specializes in industrial control. \u201cThe major concern is that industrial control systems require high processor availability, and any impact to that can cause serious safety concerns."<\/p>\n Radiflow CEO Ilan Barda says the company had no idea it might discover a malicious miner when it installed intrusion detection products on the utility\u2019s network, particularly on its inner network, which wouldn\u2019t usually be exposed to the internet. \u201cIn this case their internal network had some restricted access to the internet for remote monitoring, and all of a sudden we started to see some of the servers communicating with multiple external IP addresses,\u201d Barda says. \u201cI don\u2019t think this was a targeted attack, the attackers were just trying to look for unused processing power that they could use for their benefit.\u201d<\/p>\n 'Industrial control systems require high processor availability, and any impact to that can cause serious safety concerns.'<\/p>\n Marco Cardacci, RedTeam Security<\/p>\n Industrial plants may prove an enticing environment for malicious miners. Many don\u2019t use a lot of processing power for baseline operations, but do draw a lot of electricity, making it relatively easy for mining malware to mask both its CPU and power consumption. And the inner networks of industrial control systems are known for running dated, unpatched software, since deploying new operating systems and updates can inadvertently destabilize<\/a> crucial legacy platforms. These networks generally don't access the public internet, though, and firewalls, tight access controls, and air gaps<\/a> often provide additional security.<\/p>\n Security specialists focused on industrial control, like the researchers at Radiflow, warn that the defenses of many systems still fall short, though.<\/p>\n \u201cI for one have seen a lot of poorly configured networks that have claimed to be air gapped but weren't,\u201d RedTeam Security\u2019s Cardacci says. \u201cI am by no means saying that air gaps don't exist, but misconfigurations occur often enough. I could definitely see the malware penetrating crucial controllers.\u201d<\/p>\n With so much fallow processing power, hackers looking to mine\u2014often with automated scanning tools\u2014will happily exploit flaws in an industrial control system\u2019s defenses if it means access to the CPUs. Technicians with an inside track may also yield to temptation; reports surfaced on Friday that a group of Russian scientists were recently arrested<\/a> for allegedly using the supercomputer at a secret Russian research and nuclear warhead facility for Bitcoin mining.<\/p>\n \u201cThe cryptocurrency craze is just everywhere,\u201d says J\u00e9r\u00f4me Segura, lead malware intelligence analyst at the network defense firm Malwarebytes. \u201cIt\u2019s really changed the dynamic for a lot of different things. A large amount of the malware we\u2019ve been tracking has recently turned to do some mining, either as one module or completely changing attention. Rather than stealing credentials or working as ransomware, it\u2019s doing mining.\u201d<\/p>\n Though in-browser cryptojacking was a novel development toward the end of 2017, malicious mining malware itself isn\u2019t new. And more and more attacks are cropping up all the time. This weekend, for example, attackers compromised the popular web plugin Browsealoud<\/a>, allowing them to steal mining power from users on thousands of mainstream websites, including those of United States federal courts system and the United Kingdom's National Health Service.<\/p>\n Traditional mining attacks look like the Browsealoud incident, targeting individual devices like PCs or smartphones. But as the value of cryptocurrency has ballooned, the sophistication of attacks has grown in kind.<\/p>\n Radiflow\u2019s Barda says that the mining malware infecting the water treatment plant, for instance, was designed to spread internally, moving laterally from the internet-connected remote monitoring server to others that weren\u2019t meant to be exposed. \u201cIt just needs to find one weak spot even on a temporary basis and it will find the way to expand,\u201d Barda says.<\/p>\n 'If you run miners at 100 percent, you can cause damage.'<\/p>\n J\u00e9r\u00f4me Segura, Malwarebytes<\/p>\n Observers say it\u2019s too soon to know for sure how widespread cryptojacking will become, especially given the volatility of cryptocurrency values. But they see malicious mining cropping up in critical infrastructure as a troubling sign. While cryptojacking malware isn't designed to pose an existential threat\u2014in the same way a parasite doesn't want to kill its host\u2014it still wears on and degrades processors over time. Recklessly aggressive mining malware has even been known to cause physical damage<\/a> to infected devices like smartphones.<\/p>\n It also seems at least possible, that an attacker with goals more sinister than a quick financial gain could use mining malware to cause physical destruction to critical infrastructure controllers\u2014a class of rare but burgeoning attacks<\/a>.<\/p>\n \u201cWe\u2019ve seen this technique with ransomware like NotPetya<\/a> where it\u2019s been used as a decoy for a more dangerous attack,\u201d Segura says. \u201cMining malware could be used in the same way to look financially motivated, but in fact the goal was to trigger something like the physical damage we saw with Stuxnet<\/a>. If you run miners at 100 percent you can cause damage.\u201d<\/p>\n Such a calamitous attack remains hypothetical, and might not be practical. But experts urge industrial control plants to consistently audit and improve their security, and ensure that they've truly siloed internal networks, so there are no misconfigurations or flaws that attackers can exploit to gain access.<\/p>\n "Many of these systems are not hardened and are not patched with the latest updates. And they must run 24\/7, so recovery from crypto-mining, ransomware, and other malware threats is much more problematic in industrial control system networks," says Jonathan Pollet, the founder of Red Tiger Security, which consults on cybersecurity issues for heavy industrial clients like power plants and natural gas utilities. " I hope this helps create a sense of urgency."<\/p>\n