Red and Blue team tips for crypto mining in your environment - Joe Mast

all right everybody thanks for coming out to b-sides again and thanks for sticking around for the end for our last talk before we wrap things up at five o'clock hmm so it is 4:30 you're in the black room and we were about to hear from Joe mast he's going to talk to us about red and blue team tips for crypto mining in your environment that's all good man

thank you everyone for staying so long I really appreciate it I know it's the end of the day but we'll start to talk off does anybody happen to the characters in the upper right hand corner your left sorry and if you do could you raise your hand so I knows okay good all right so that show is that Eddie and the plot of that show every time is there's a scam they try to go out and they try to get free money from all their friends when I started research just researching this talk to me it sounded like one of their scams but it turned out this scam actually works and you can get free

money from crypto mining on your works infrastructure so today we're gonna talk about some tips you can do to do it better how you can protect against it and how much money you can really make all right so Who am I my name is Joe mast I work for federal investors my undergrads from slippery rock and I want to I'm doing my masters at Western Governors University I have some interest in cryptocurrency cyber security usually breaking things asking a lot of questions traveling and those are my cars so if you're into cars let me know I always like to talk about those as well so if you don't know anything about Krypton mining I'm just

gonna give you a brief background about what cryptocurrency is and as well as what mining is cryptocurrency is just basically it's a digital currency it's not regulated it's decentralized I'm sorry it is regulated it's it's just decentralized and it's regulated by an encryption algorithm and there's no central bank to distribute or operate the currency ie just magic internet money so you can have fun with that as well where does it come from the short answer is it's distributed by a minor and a minor just performs a complex math algorithm to verify transactions on the network and by doing that work they're rewarded with more coins so they're provided the coins for the work that they put into the network

so some perspective where are we coming from with this talk I just want to give like an outsider's view again where the is that if this is this as an outsider there's no oh like key to this it's just it's mining by even malicious employees or an attacker or a red team so we're talking about anybody who has access to your system or potentially could have access to it and where they're going to be attacking one your assets to your power bill and three your free air conditioning so where is the best place to mine obviously anything with free power right like a college dorm we've been seeing that free power is best power think that all the time everything

that's free you want to take the best utilization of that that you can colleges are cracking down on it if you aren't properly logging and auditing your Amazon Web Services they're also great place to mind because it's really easy to set up new devices and spin up machines and instantly mine there as well any device that can really run code on it you can also mind they're pretty fast and easy and of course your works desktops workstations and data center because they're all climate controlled and maintained by other people other than yourself so this is in my opinion and many others starting to become like the new ransomware we're seeing it and why is there a shift from ransomware to

cryptocurrency mining we're seeing that because this guarantees a return in most cases I'm sorry not most but in some cases people don't pay the ransom it's not guaranteed but if your cryptocurrency mining software does run you're usually guaranteed some sort of return as well we've seen a lot of resources where botnets have been repurposed from doing malicious things to running cryptocurrency miners and then generating a slow profit for the the owner as well popular ransomware tools I've been repurposed one such one was the eternal blue attack with wanna cry had been repurposed to one of mine so it's just there's a lot of different tools out there they all exist they use the same bar abilities as regular ransomware

tools as well it provides a long-term strategy for an attacker and what that strategy provides is over with a ransomware it's like a one-hit wonder you're out you get your money you leave but the long-term strategy here is you can mine over a long period of time and go ahead and that's also how it draws less attention you're just on the system and constantly draining and using resources to gain money for yourself over time so mining costs money and this is where I took into account for the power bill and analyzed it I have a home lab right now with two Dell are seven ten servers and what I did with this is an experiment to

see how much money the power cost really did or were for my month right so I kind of took into account two different sized firms a small and a large at the small firm we had 250 workstations and 50 work and 50 servers and the average cost per day for a workstation was around a quarter and for the server's around $2 a day in power over the course of the year I ended up calculating that it was around 22,000 dollars per year for all your workstations at a small firm and around 36,000 a year for all the servers where it really starts to get serious is in a larger firm the more workstations you have obviously it's gonna cost a lot

more with 5,000 workstations it's somewhere near a half a million dollars in power costs as well more servers you have they'd if I cost a lot more so it's almost three-quarters of a million dollars in power for a thousand servers and this is just an assumption that you're getting a commercial rate of power if you're doing this at your house or something along those lines to be even worse than your rates are gonna be way higher than this and this doesn't take into account air conditioning maintenance and other things related to maintaining your own hardware so how easy is it can you click run and paste your wallet address that's really how easy it is to run some JavaScript miners

in the browser they're there honestly just if you can load a web page you can load a binder it's so easy a baby could do it for more contour for more dedicated miners you might have to run an executable on an endpoint but there's not really much configuration just to get it up and running to optimize it yes there's more configuration and need for permissions but you can usually get it running in an environment where there's not a lot of protection as well things you need to mind just internet a device that works a border more need for some free money so free money is best money what are we talking about we're gonna take into

account the small firm we saw earlier and with that small firm we had 50 servers and 250 endpoints this is where things started to get serious and you can see there's actual returns generated and why someone might want to do this so what the server we're looking at a hash rate of 300 hashes per second that's very conservative and low for an average grade server just doing CPU mining as well this workstation accounts for just an eight-hour day so that's why you can see the daily yields are lower for the workstation so I'm on two different coins in my lab on the servers and the workstations that I had and the daily yield for the smaller sorry the Monaro

was 18 cents and z cache was 62 cents which is quite profitable at the time still is on the workstations as well since we're just planning for an eight-hour workday I was able to earn around five cents and seventeen cents for Z cache where this really comes into effect is if you can do this for a long period of time for over a large amount of assets three to five thousand dollars is nice and so is Z cash is fifteen two to eleven thousand dollars but it's not something crazy and I don't think I would want to lose my job over that much money but where this is the small fry right this is like you have a small

organization you take over it but it's still a lot of money for people to go mind for right so this is the small fry but wait there's more the large firm is where the returns really come out what these numbers is they grow largely so that the same hash rates we're getting the same yield depending on your assets if you can control obviously as you can see here a thousand servers from an arrow that's sixty five thousand dollars your current market rates which are pretty low right now as well for Z cash that's two hundred twenty six thousand dollars a year which is some serious change if you can do that on all your endpoints and this is just a very

unwise mining level as well for our workstations it's almost a hundred thousand dollars a year and three hundred thousand dollars a year for Z cash and that's some it's Lamba money you can go out buy anything you want with that I can see why people have been mining on their works infrastructure and this is just to get you to think about one it's possible - it has serious returns three just if you can do it it's easy and simple to run and there's obviously money to be made here so with this there's broad attack surfaces only I know meant we before mentioned that the web browsers but as well with most of these monitors there's

not much privileged access needed to make them run at least in from a basic standpoint as well you can mine in the browser via JavaScript if you're not blocking that and another friend of mine proposed an idea and I've seen attacks made for it where web proxies are attacked and then used to inject the JavaScript directly to users browser pages as well Internet of Things devices have been used and manipulated to mine consistently because no one's really checking on them are looking at what they're doing all the time a popular attack those just released was for kindle fire sticks Amazon fire sticks as well as we've seen the repurposed botnets just to go out and

earn money for themselves and mine and then we've seen a lot of from ransomware fishing to go to mining and that it's been either a link to a web page JavaScript miner in it or an executable for some type of miner that runs on a browser page it's hidden in the background so it's very easy to attack multiple surfaces with this so we're in team how can you make more money or do this better when I was doing this I just pretended it was malware in my environment my test environment most antivirus software thought that it was or at least a malicious item and in order to get to run some cases I used off UK obfuscation techniques I use PE

scrambler to obfuscate the executable and then run it Pig got past most signature-based antivirus software as well thing was important if you have really good server admins that are always on there and understand the utilization of your servers and when they should be working hard not you you can tune around within most miners such as reducing how much CPU power it uses and as well having an only worked normal work hours so it doesn't look odd and on mobile clients you can as well work to work towards battery power so that doesn't look odd if it gets below 20% maybe it stops mine things along those lines as well you can tune your phishing attacks you don't need to go

dropping executables on somebody's thing you can just go and drop a JavaScript infected link and mine via the browser there if they just click on it you're gonna make some sort of return as well almost all Meyers were able to be loaded via SMB shares just like normal malware if your antivirus software doesn't know how to scan those that was very simple to load those in most of my lab environments blue team what can you do to prevent and detect this at first I would definitely say that your company should have a formal stamp established against this or it doesn't have to be exactly crypto mining but maybe a hardware software abuse and if you don't

have that already you should definitely have one drafted as well you can employ a next-gen firewall and with that it's great to have a next-gen firewall but you should be using the tools that it has on it and implement them such as URL filtering or SSL interception or decryption as well you should employ an intrusion detection system keep it updated ensure that somebody's actually read the alerts that it produces that's great to have it again but you should pay attention to what it's doing it's probably doing a good job and then as well implement a strong antivirus or erd solution and update it keep it updated with roles and ifcs and just watch it as well you can check

out this point blocker list tool and what that coin blocker list tool does is it produces a list of IPs which all contain every node in the coin hive JavaScript miner that's built into the browser and you can use that to implement it downloads as a text file you can upload that to your tools and then block those IP addresses that for those web addresses as well you can patch your browsers and install block browser plugins if you don't have any other protections and some of those plugins are no coin and miner block and what they'll do is they'll just think they have known mining signatures in them and then they'll just block those scripts from running as well talked

before one of the ways I was able to get lowest mining software to run in my labs and other areas I played with is through attached storage or shares if your antivirus software or your D solution isn't configured properly to scan that it's very simple to just have it run through there so I found a lot of evil if you just scan most attached storage or shares there's lots of interesting things out there and you should probably be doing that and as well you should have a process to properly validate your firewall rules and what's going on there if you're not properly validating checking the configuration or saying what's going on how do you know what's

really happening on your firewall so there should be some sort of audit function third-party that knows what's going on there as well just before we wrap this up I wanted to go over some recent news there's some interesting links for the first one is the Georgia Department of State some man mined over $300,000 in Z cash I think it was and he was caught he was asked to leave he never actually got fired and he ended up keeping the money too so it sounds pretty sweet to me for the second one is it was just a post on Stack Overflow a colleague found that his friend was mining on the company resources he's asked him what to do the comments are

great if you read that one and then the last one is a Russian guy that doesn't he went missing he was mining on supercomputers at a Russian State University and then just to go over again some pros and cons here it's free money what there's no reason not to do it and it's pretty simple and easy to install you just Google how to mine you can probably figure it out pretty simply and some cons if your environment set up right you might be privileged access to do this more properly as well if your firewall set up well you might need to whitelist something in there but if you have access to it it could be easy to do

and you might get fired I haven't really seen many cases where people got fired though so just things to think about and just things to leave you with again it's easy to do you should have a policy against this and free thank you [Applause] anybody mind questions so yes there are I don't know them off by heart but I know that in most firewalls there's the ability to I know Apollo out there signatures for it that you can enable to blocking with URL filtering in SSL decryption great application so thank you anybody else

yes there is an IOC list one of my friends was talking about a tool that you can download it and what it'll do is it'll give you a list of all the IP addresses to know in pools and then you can block those because they're all communicating back out to those pools but there is known public things that you can go and download to produce with an IP list for you to implement into your tools to block them no minor tools thank you everyone [Applause]