The Internet keeps getting weirder, and users are getting harder to protect. Yet Menlo Security continues to keep users safe.
Consider a new threat that just popped up on our radar—it hijacks users’ devices to surreptitiously mine cryptocurrency. We first observed the threat at the beginning of August 2019. Over the next 30 days, 64 users visited compromised sites that eventually redirected them to a cryptomining site. Thankfully, in every single instance, the malicious code was either isolated in a disposable container in the Menlo Security Cloud Security Platform or was blocked outright (Figure 1). Not a single device was successfully hijacked.
Figure 1: All 64 instances of the cryptomining attack were either isolated or blocked by Menlo Security.
Figure 2: The malicious link from Google search results. The website that the user visited is highlighted in red. The brown text shows the compromised directory on the website. The blue text is the search term typed in by the user.
Figure 4: An iframe is injected on the site, redirecting the user to swiftmining.win
This innovative method prevents cybersecurity solutions such as legacy secure web gateways (SWGs) or anti-malware filters from identifying the attacks before they are successful. Only the symptoms of a successful breach—such as sapped bandwidth and poor performance—tip off the user, who has to take the extra step to get IT involved. Even then, only a careful analysis of event logs will reveal the initial breach—and by then it’s too late.
While cryptomining attacks are considered relatively victimless (most are designed to not cause a perceptible performance hit so they don’t tip off the user or IT about the attack), a successful breach is an indication of larger cybersecurity issues. If an attacker is able to commandeer a user’s device, they can certainly download other malicious code that tracks keystrokes, leaks passwords, or opens up a connection to more sensitive business systems on the corporate network.
The bottom line: Any cybersecurity solution that relies on a detect-and-respond method is doomed to failure. In fact, failure is baked right into the architecture. Attacks that are identified days, hours, or even minutes after the initial breach can compromise security and put the organization at risk. Only a cybersecurity approach that provides 100 percent malware-free email and web browsing can keep users and the organization safe. There’s nothing weird about that.