world tour:
Join us for a live look at how Menlo’s Secure Enterprise Browser puts you ahead of attackers
The Internet keeps getting weirder, and users are getting harder to protect. Yet Menlo Security continues to keep users safe.
Consider a new threat that just popped up on our radar—it hijacks users’ devices to surreptitiously mine cryptocurrency. We first observed the threat at the beginning of August 2019. Over the next 30 days, 64 users visited compromised sites that eventually redirected them to a cryptomining site. Thankfully, in every single instance, the malicious code was either isolated in a disposable container in the Menlo Security Cloud Security Platform or was blocked outright (Figure 1). Not a single device was successfully hijacked.
Figure 1: All 64 instances of the cryptomining attack were either isolated or blocked by Menlo Security.
This particular threat is especially harmful because of the string of simple tactics it uses to hijack an endpoint’s CPU resources to mine for coins. The attackers compromised vulnerable WordPress sites and used SEO poisoning to make the sites appear high up in search results. Upon clicking the link, the unsuspecting users are directed to the compromised website (Figure 2). Coded JavaScript (Figure 3) then injects an iframe (Figure 4) on the site, which redirects to the cyrptomining site.
Figure 2: The malicious link from Google search results. The website that the user visited is highlighted in red. The brown text shows the compromised directory on the website. The blue text is the search term typed in by the user.
Figure 3: The encoded JavaScript.
Figure 4: An iframe is injected on the site, redirecting the user to swiftmining.win
This innovative method prevents cybersecurity solutions such as legacy secure web gateways (SWGs) or anti-malware filters from identifying the attacks before they are successful. Only the symptoms of a successful breach—such as sapped bandwidth and poor performance—tip off the user, who has to take the extra step to get IT involved. Even then, only a careful analysis of event logs will reveal the initial breach—and by then it’s too late.
While cryptomining attacks are considered relatively victimless (most are designed to not cause a perceptible performance hit so they don’t tip off the user or IT about the attack), a successful breach is an indication of larger cybersecurity issues. If an attacker is able to commandeer a user’s device, they can certainly download other malicious code that tracks keystrokes, leaks passwords, or opens up a connection to more sensitive business systems on the corporate network.
The bottom line: Any cybersecurity solution that relies on a detect-and-respond method is doomed to failure. In fact, failure is baked right into the architecture. Attacks that are identified days, hours, or even minutes after the initial breach can compromise security and put the organization at risk. Only a cybersecurity approach that provides 100 percent malware-free email and web browsing can keep users and the organization safe. There’s nothing weird about that.
Menlo’s unique architectural approach executes webpages on isolated browsers in its cloud, and all active content (JavaScript, Flash) is fetched and executed there. Menlo then mirrors the rendered content to the end user's machine using its patented technology, preventing attacks that exploit such vulnerabilities.Check out the recommended strategy forSecure Web Accessfrom Gartner andMagic Quadrant for Secure Web Gatewayto see why Menlo continues to be the answer to security concerns.
