In this paper, we examine the recent trend towards in-browser mining of cryptocurrencies; in particular, the mining of Monero through Coinhive and similar codebases. In this model, a user visiting a website will download a JavaScript code that executes client-side in her browser, mines a cryptocurrency-typically without her consent or knowledge-and pays out the seigniorage to the website. Websites may consciously employ this as an alternative or to supplement advertisement revenue, may offer premium content in exchange for mining, or may be unwittingly serving the code as a result of a breach (in which case the seigniorage is collected by the attacker). The cryptocurrency Monero is preferred seemingly for its unfriendliness to large-scale ASIC mining that would drive browser-based efforts out of the market, as well as for its purported privacy features. In this paper, we survey this landscape, conduct some measurements to establish its prevalence and profitability, outline an ethical framework for considering whether it should be classified as an attack or business opportunity, and make suggestions for the detection, mitigation and/or prevention of browser-based mining for nonconsenting users.
Internet-wide security and resilience have traditionally been subject to large-scale DDoS attacks initiated by various types of botnets. Since the Mirai outbreak in 2016 myriads of Mirai-alike IoT-based botnets have emerged. Such botnets rely on Mirai's base malware code and they infiltrate vulnerable IoT devices on an Internet-wide scale such as to instrument them to perform large-scale attacks such as DDoS. As recently shown, DDoS attacks triggered by Mirai-alike IoT-based botnets go far beyond traditional pre-2016 DDoS attacks since they have a much higher amplification and their propagation is far more aggressive. Thus, it is of crucial importance to tailor botnet detection schemes accordingly. This work provides a novel DNS-based profiling scheme over real datasets of Mirai-alike botnet activity captured on honeypots that are globally distributed. We firstly discuss features used in profiling botnets in the past and indicate how profiling IoT-based botnets in particular can be improved by leveraging DNS information out of a single DNS record. We further conduct an evaluation of our developed feature set over various Machine Learning (ML) classifiers and demonstrate the applicability of our scheme. Our resulted outputs indicate that the proposed feature set can significantly reduce botnet detection time whilst simultaneously maintaining high levels of accuracy of 99% on average under the random forest formulation.
The 2016 Mirai outbreak established an entirely new mindset in the history of large-scale Internet attacks. A plethora of Mirai-like variants have emerged in the last two years that are capable to infiltrate any type of device. In this paper we provide a 7-month retrospective analysis of Internet-connected energy systems that are infected by Mirai-like malware variants. By utilizing network measurements from several Internet vantage points, we demonstrate that a number of energy systems on a global scale were infected during the period of our observation. While past works have studied vulnerabilities and patching practises of ICS and energy systems, little information has been available on actual exploits of such vulnerabilities. Hence, we provide evidence that energy systems relying on ICS networks are often compromised by vulnerabilities in non-ICS devices (routers, servers and IoT devices) which provide foothold for lateral network attacks. Our work offers a first look in compromised energy systems by malware infections, and offers insights on the lack of proper security practices for systems that are increasingly dependent on internet services and more recently the IoT. In addition, we indicate that such systems were infected for relatively large periods, thus potentially remaining undetected by their corresponding organizational units.
The adoption of the IoT by modern sociotechnical systems in synergy with the rapid deployment of insecure IoT devices and services has transformed the cyber-threat landscape. Thus, the vast majority of cyberattacks are underpinned by the orchestration of compromised IoT devices that are globally distributed and controlled through carefully designed IoT botnets. Contrary to conventional belief, cybersecurity vectors instrumented by such botnets are not always uniformly distributed across Internet Autonomous Systems (ASes). By virtue of network structural characteristics imposed by each individual Autonomous System (AS) as well as the diversity in terms of ASlevel cybersecurity policies, the spatiotemporal manifestation of IoT botnets differs. In this work, we provide a novel measurement study that empirically quantifies AS tolerance of IoT botnet propagation in the global IPv4 Internet. We assess and correlate measurements gathered by globally distributed honeypots, Internet regional registries and IP blacklists for a 15-month period and observe more than 3.2M malicious events triggered by IoT botnets spanning 9.5K ASes. Our work demonstrates that ASes connected to a low number of providers are prone to embrace a high portion of malicious activities. Hence, we provide evidence on concentrated botnet activities and determine the effectiveness of widely used IP blacklists. In general, this study contributes towards empowering knowledge on large-scale cyber-attacks as being crucial for the composition of next generation data-driven cybersecurity defence applications.
Undoubtedly, the Internet of Things (IoT) contributes significantly to daily mission-critical processes underpinning a number of socio-technical systems. Conversely, its rapid adoption has extensively broadened the cyber-threat landscape by virtue of low-cost IoT devices that are manufactured and deployed with minimal security. Evidently, vulnerable IoT devices are utilised by attackers to participate into Internet-wide botnets in order to instrument large-scale cyber-attacks and disrupt critical Internet services. Since the 2016 outbreak of the first IoT Mirai botnet there has been a continuous evolution of Mirai-like variants. Tracking these botnets is challenging due to their varying structural characteristics, and also due to the fact that malicious actors continuously adopt new evasion and propagation strategies. This work provides a new measurement study highlighting specific behavioural properties of Mirai-like botnets in terms of their propagation. We provide a comprehensive analysis conducted on real Cyber Threat Intelligence (CTI) feeds gathered for a period of 7 months from globally distributed attack honeypots and pinpoint the evolutionary port scanning patterns, targeted vulnerabilities and preferred services pursued by Mirai-like botnets. We identify the most frequently active Mirai-like malware binaries and we are the first to report the evolution of a new, P2P-based variant. In parallel, we provide evidence related to the lack of vendor-specific patching through highlighting unpatched vulnerabilities. Moreover, we pinpoint the inadequacy of widely used IP blacklisting databases to timely list malicious IP addresses. Thus, arguing in fair of integrating honeypot information from diverse Internet vantage points within the design of next generation botnet defence mechanisms.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
Contact Info
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Product
Resources
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.
