This guest post was contributed by Ken Carnesi CEO and founder of DNSFilter.
Cryptocurrency is playing a major role in the threat landscape of 2022 and will likely have an even bigger part to play by early next year-- with ransomware payments made via cryptocurrency, phishing attacks targeting exchanges, and cryptojacking incidents rising. Crypto-related threats are not going away, and organizations need to implement a robust domain security posture in order to mitigate these risks.
An April 2022 joint cyber security advisory by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and U.S. Treasury Department provides a case in point. The advisory highlighted the cyber threat associated with cryptocurrency thefts and tactics used by a North Korean state-sponsored advanced persistent threat group since at least 2020.
The U.S. government has observed North Korean cyber actors targeting a variety of organizations in the blockchain technology and cryptocurrency industry, including cryptocurrency exchanges, decentralized finance (DeFi) protocols, cryptocurrency trading companies, and others, according to the advisory.
The activity involves social engineering of victims using a variety of communication platforms to encourage individuals to download trojanized cryptocurrency applications on Windows or macOS operating systems, the advisory said. The cyber criminals then use the applications to gain access to a victim’s computer, propagate malware across the victim’s network environment, and steal private keys or exploit other security gaps. These activities enable additional follow-on activities that initiate fraudulent blockchain transactions.
“North Korean state-sponsored cyber actors use a full array of tactics and techniques to exploit computer networks of interest, acquire sensitive cryptocurrency-intellectual property, and gain financial assets,” the agencies noted. “The U.S. government recommends implementing mitigations to protect critical infrastructure organizations as well as financial sector organizations in the blockchain technology and cryptocurrency industry.”
Because crypto is still relatively early in its lifecycle and there are new marketplaces cropping up, these sites are easier to mimic compared with traditional banking accounts. When cryptocurrency made a comeback in 2020, security was impacted in a major way as threat actors saw a new window for compromise. And, given that cryptocurrency marketplaces are popular right now, threat actors have chosen to target the DNS layer.
As a distributed, easy-to-abuse threat vector, DNS will continue to be attractive and difficult to regulate. Among the common DNS-based, cryptocurrency-related threats are typosquatting domains, phishing domains, cryptojacking, mining pools, and DNS poisoning.
Building a Strong Defense
Organizations need to increase their protection against malware, ransomware, and phishing at the DNS layer. Cryptocurrency will continue to be an area ripe for exploitation, because it provides anonymity and an easy avenue for threat actors to drain accounts.
In our 2021 Domain Threat Report, DNSFilter looked closely at cryptocurrency and cryptojacking domains and found high volumes of copycat phishing domains for Bitcoin and cryptojacking domains heavily using the terms Ethereum, Dogecoin and Litecoin. Many of these cryptojacking sites used a variation of the term “mining” in the name of the domain.
Threat actors are acting now on this new opportunity for compromise. We have seen increases across cryptojacking threat types in 2022 from our global network processing more than 1 trillion queries a month. In addition, malicious traffic to websites with “bank” in the domain name have spiked 318% since 2021. Threat actors eyeing banks, or bank patrons, isn’t a surprise as the banking industry saw a 1318% increase in ransomware attacks in 2021.
By blocking known cryptojacking sites and domains that contain cryptocurrency references, organizations can broadly mitigate these risks. Newer security tools leverage technology such as artificial intelligence (AI) to detect and avoid threats.
Another vital step is to educate users about attacks such as phishing, malware and ransomware. If they can recognize the common signs of such attacks, they can better avoid them. Indeed, the best way to protect an organization from costly attacks is to prevent employees from ever accessing harmful sites.
Along with effective training and awareness, companies need to implement comprehensive policies governing the use of technologies, including the growing number of mobile devices and cloud services. This is especially important with the widespread adoption of remote and hybrid work models.
A combination of effective security tools that block crypto-related threats, training and awareness to help users avoid risky behavior, and strong security policies and procedures can go a long way toward helping organizations defend against these emerging crypto threats.
Protecting the DNS layer plays a pivotal role in securing every organization, as clicking an untrustworthy link is the easiest way to engage with a cyber threat. CISOs and other security leaders need to take these threats seriously. As cryptocurrency continues to gain momentum and attention, the related threats will grow as well. Being proactive about security—and particularly domain security—is key to staying safe.