Attacks aimed at delivering cryptocurrency mining tools on enterprise networks have gone up as much as six times, according to telemetry data collected by IBM’s X-Force team between January and August 2017.
A recent report by fellow cyber-security firm Kaspersky found that cryptocurrency mining malware also infected over 1.65 million machines running Kaspersky solutions in the first eight months of the year.
While Kaspersky collected data mainly from desktop endpoints, IBM’s telemetry gathered data from servers and other enterprise systems.
Attackers hid cryptocurrency miners inside fake image files
According to IBM, most of the infections the company saw during the first eight months of the year involved the same mining tool and similar infection techniques.
IBM’s Dave McMillen told Bleeping Computer via email that attackers used “a wide range of exploits […] to first compromise […] CMS platforms (WordPress and Joomla and JBoss server) prior to launching the subsequent CMDi [command injection] attack,” that installed the cryptocurrency mining tool.
“These [mining] tools were hidden within fake image files, a technique known as steganography, hosted on compromised web servers running Joomla or WordPress, or stored on compromised JBoss Application Servers,” McMillen says.
The expert says attackers usually downloaded a customized version of a legitimate mining tool named Minerd, or a Linux port named kworker.
“In most cases, the attackers attempted to mine CryptoNote-based currencies such as Monero (XMR), which employs the CryptoNight mining algorithm,” McMillen said.
Attacks targeted companies in all industry verticals
“We are unable to determine the number of attacking groups or infected servers from our attack data,” McMillen added but said that attackers weren’t picky and infected any target they could get.
Infected servers spread across several industry verticals, such as manufacturing, finance, retail, IT & communications, and others.
No more Mirai versions with mining support
Back in April, the same IBM X-Force team discovered a version of the Mirai IoT malware that featured an experimental cryptocurrency mining feature.
As many experts predicted back then, today, McMillen confirmed that IBM had not seen any new Mirai malware strains deploying mining features.
“Exploiting IoT may be more of a proof of concept by attackers,” McMillen told Bleeping. The expert also added that he expects attackers to target both server and desktop endpoints in an equal manner, as both are very lucrative environments for mining operations.
The IBM and Kaspersky reports on the increase in cryptocurrency mining malware detections come after a string of incidents during the past few months that involved virtual currency miners.