Our site uses cookies to make it work and to help us give you the best possible user experience. By using our site, you agree to our use of cookies. To find out more about cookies and how you can disable them, please read our cookies statement. 

Cookie Settings

You can manage your cookie settings by turning cookies on and off.

Click on the different cookie  headings to find out more about the types of cookies we use on this site and to change your settings. Please be aware that if you choose to turn off  cookies, certain areas of our site may not work and your browsing experience may be impacted.

For further information on how we use cookies, please see our cookies statement. 

Strictly Necessary Cookies

(Req)

These cookies are essential for the technical operation of and proper functioning of our site  and enable you to register and login, to easily move around our site, and to access secure areas. Without these cookies our site won't function properly.  

These cookies are required

Performance Cookies

Performance cookies allow us to collect aggregated and anonymous data on how our site is used, such as the number of visitors to our site, how you navigate around and the time spent on our site and also to identify any errors in functionality. These cookies also help us to improve the way our site works by ensuring that you can find what you’re looking for easily, to better understand what you are interested in and to measure the effectiveness of the content of our site. 

Marketing Cookies

These cookies allow us to advertise our products to you and allow us to pass this information on to our trusted third parties so that they can advertise our products to you on our behalf. All information these cookies collect is aggregated and therefore anonymous. No personal information is shared to third parties. Any personal information collected while using our website could be used for direct marketing from Dimension Data only.

Cryptojacking

Illicit coin mining seizes power

Mark Thomas

VP, Cybersecurity ─ Dimension Data

For the past 18 years, Mark has worked in the cybersecurity field establishing pragmatic, business-aligned risk minimisation strategies and developing intelligence-led computer network defences. His broad knowledge and in-depth expertise are a result of working extensively in consulting, technical, and managed services with large enterprises across numerous industry sectors including finance, government, utilities, retail, and education.

Follow on LinkedIn

Cryptojacking: ‘compute to cash’ rises


Cybercriminals are hijacking organisations’ computing power to cash-in on cryptomining

Cryptojacking is code which illicitly generates or mines cryptocurrency. It’s often referred to as illegal bitcoin mining, cryptomining or cryptocurrency mining.

Not all cryptomining activity is unlawful: a user may install a coin mining programme on their personal system to generate cryptocurrency for themselves, using their own computing resources. But it becomes illegal when they use someone else’s resources ─ CPU power and energy ─ without their knowledge or permission, to mine cryptocurrency for their own financial benefit.

This year, Dimension Data’s Executive Guide to the NTT Security 2019 Global Threat Intelligence Report highlighted that in 2018, cryptojacking ─ while still in its infancy ─ caught many organisations off-guard and represented a significant amount of hostile activity. According to a recent joint paper1 by the Cyber Threat Alliance (CTA), NTT Security, and other CTA members, cryptojacking detections increased by a staggering 459% between 2017 and 2018.

How does it work?

Cryptojacking works by cybercriminals tapping into other organisations’ processing power and using it to mine cryptocurrencies. It’s like a stranger sneaking into your house while you’re out and using your electricity and water! Meanwhile, at the end of the month, you have to foot the hefty bill.

This is typically achieved with scripts that run behind the scenes on websites, though it's also possible to hijack machines and servers to run full-blown cryptocurrency mining software, which is either installed by malware or by rogue employees.

How cryptojacking occurs

Figure 1: How cryptojacking occurs

Cryptojacking can occur on a system with or without a user’s knowledge. There are three primary types, as shown in Figure 2 below.

Types of cryptojacking

Figure 2: Types of cryptojacking

  1. Cryptojacking malware: This is also known as host-based malware. It involves cryptojacking malware unknowingly being installed on your device. In some cases, you may have visited a compromised website, where the malware identified a vulnerability in your system or web browser, and subsequently your device became ‘infected’. Once the attacker successfully infiltrates your system they can execute a malicious file that includes cryptojacking malware.
  2. Web-based cryptojacking: This is less visible or easy to detect. It occurs when you acquire cryptomining scripts ─ which you can obtain unknowingly by browsing a legitimate website that’s been compromised. In some cases, the scripts within the advertisements featured on the website ─ which are often generated by third parties ─ have been surreptitiously replaced with cryptomining scripts. These will quietly harness the power of your system to automatically process cryptocurrency.
  3. Custom malware: In this scenario, existing malware toolkits are retrofitted to include cryptojacking capabilities.

If we look at the sectors most at risk from cryptojacking attacks, and the most prevalent types, the findings of our Executive Guide to the NTT Security 2019 Global Threat Intelligence Report reveal that:

  • The technology and education sectors accounted for over 86% of all cryptojacking detections.
  • The education sector experienced the greatest number of host-based cryptojacking detections followed by the technology sector (46%).
  • Host-based cryptojacking accounted for over 75% of all cryptojacking detections; 25% were web-based.
Cryptojacking can occur on a system with or without a user’s knowledge. Read more @Dimensiondata. Tweet this

What’s the impact on businesses?

Cryptojacking malware can cause hardware resources to run at extremely high temperatures, increase energy consumption, harm your hardware, and shorten the lifespan of your systems.

However, the existence of cryptojacking malware in your environment often indicates a larger problem. In the case of cryptojacking mining or custom malware, it likely indicates unpatched vulnerabilities, or that someone in your environment has fallen victim to a phishing attack, allowing an attacker unauthorised access to your network. This is a risk that can’t be overstated – illicit coin miners in your infrastructure were clearly installed via nefarious means, which indicates some level of compromise or vulnerability somewhere within your environment.

Cryptojacking text

Attackers’ motives: it’s all about profit

The motive behind cryptojacking is simple – profit. It’s incredibly lucrative and has a much lower barrier to entry than other vectors.

Additionally, cryptojacking is a very passive method of generating funds. Once an attacker has placed cryptojacking malware in an environment, there’s nothing left for them to do except wait as the cryptocurrency is generated and delivered to their wallet.

Attackers also know that by shifting their focus away from tactics such as ransomware, they can increase the likelihood of being paid. Although they might not get as much as they would in a lump-sum ransomware payment, it tends to be a better option because it allows the attacker to remain undetected for longer.

3 key ways to detect cryptojacking in your environment

  1. Monitor CPU spikes or above-average CPU usage. Unfortunately, the authors of this malware often use built-in meters to gauge the level of CPU usage, and (by using built-in automation) throttle back their activities for a while, if necessary.
  2. Enlist the support of a managed security service provider who has the capabilities to detect next-generation threats, and examine their clients’ network activity for any kind of anomalies. If a host has been compromised, that piece of malware may be seeking to download additional payloads or instruction sets, which would also include the illicit coin mining malware.
  3. Examine the malware on the end-system itself, working with experts to identify behaviours that can be used as intelligence indicators. This will allow you to apply these indicators to other security controls and uplift your overall cyberdefences, in an automated fashion. This also gives you the opportunity to share these insights with intelligence groups, business partners, peers, and other industry bodies.
Cryptojacking malware can cause hardware resources to run at extremely high temperatures, increase energy consumption, harm your hardware, and shorten the lifespan of your systems. Read more @Dimensiondata. Tweet this

Top 8 ways to raise your defences

We believe that a holistic approach that incorporates people, process, and technology is the best way to tackle this scourge:

  1. Make sure that employees are aware of this type of threat and what to do about it, for example, by not opening suspicious emails and being vigilant about the websites they browse.
  2. Apply least-privilege controls for user, developer, and application accounts.
  3. Implement egress and ingress restrictions on your firewall, which helps to ensure only authorised traffic is allowed.
  4. Limit browser-based cryptomining ─ there are browser plugins available that are designed to help limit the functionality of browser-based cryptomining.
  5. Deny Stratum protocol usage ─ currently, cryptocurrency mining malware connects to mining pools via the Stratum protocol. Disabling this protocol stops miners before they’ve had a chance to start mining.
  6. Segregate network environments to stop widespread propagation, but also ensure that the right end-point controls are in place (e.g. anti-virus endpoint detection and response).
  7. Ensure you have the appropriate remediation processes in place, including swift and comprehensive incident response.
  8. Use web controls, web security gateways, or web-filtering to stop cryptojacking infections before they happen and to prevent users from downloading additional malicious materials.

1 The Illicit Cryptocurrency Mining Threat, Cyber Threat Alliance, 2018

Recommended for you

How we can help you

Two people sitting in a meeting

Cybersecurity Advisory

Get the insights and action you need to improve your security posture

Read more
A person standing on a cliff with a starry sky

Managed Security Services

Management and optimisation of your security infrastructure to shield and protect your data and applications no matter where they reside.

Read more

Get the Executive Guide to the NTT Security 2019 Global Threat Intelligence Report

Australia

By clicking submit below, you are agreeing to the Dimension Data Terms and Conditions and Privacy Policy