Cryptojacking: ‘compute to cash’ rises
Cybercriminals are hijacking organisations’ computing power to cash-in on cryptomining
Cryptojacking is code which illicitly generates or mines cryptocurrency. It’s often referred to as illegal bitcoin mining, cryptomining or cryptocurrency mining.
Not all cryptomining activity is unlawful: a user may install a coin mining programme on their personal system to generate cryptocurrency for themselves, using their own computing resources. But it becomes illegal when they use someone else’s resources ─ CPU power and energy ─ without their knowledge or permission, to mine cryptocurrency for their own financial benefit.
This year, Dimension Data’s Executive Guide to the NTT Security 2019 Global Threat Intelligence Report highlighted that in 2018, cryptojacking ─ while still in its infancy ─ caught many organisations off-guard and represented a significant amount of hostile activity. According to a recent joint paper1 by the Cyber Threat Alliance (CTA), NTT Security, and other CTA members, cryptojacking detections increased by a staggering 459% between 2017 and 2018.
How does it work?
Cryptojacking works by cybercriminals tapping into other organisations’ processing power and using it to mine cryptocurrencies. It’s like a stranger sneaking into your house while you’re out and using your electricity and water! Meanwhile, at the end of the month, you have to foot the hefty bill.
This is typically achieved with scripts that run behind the scenes on websites, though it's also possible to hijack machines and servers to run full-blown cryptocurrency mining software, which is either installed by malware or by rogue employees.
Figure 1: How cryptojacking occurs
Cryptojacking can occur on a system with or without a user’s knowledge. There are three primary types, as shown in Figure 2 below.
Figure 2: Types of cryptojacking
- Cryptojacking malware: This is also known as host-based malware. It involves cryptojacking malware unknowingly being installed on your device. In some cases, you may have visited a compromised website, where the malware identified a vulnerability in your system or web browser, and subsequently your device became ‘infected’. Once the attacker successfully infiltrates your system they can execute a malicious file that includes cryptojacking malware.
- Web-based cryptojacking: This is less visible or easy to detect. It occurs when you acquire cryptomining scripts ─ which you can obtain unknowingly by browsing a legitimate website that’s been compromised. In some cases, the scripts within the advertisements featured on the website ─ which are often generated by third parties ─ have been surreptitiously replaced with cryptomining scripts. These will quietly harness the power of your system to automatically process cryptocurrency.
- Custom malware: In this scenario, existing malware toolkits are retrofitted to include cryptojacking capabilities.
If we look at the sectors most at risk from cryptojacking attacks, and the most prevalent types, the findings of our Executive Guide to the NTT Security 2019 Global Threat Intelligence Report reveal that:
- The technology and education sectors accounted for over 86% of all cryptojacking detections.
- The education sector experienced the greatest number of host-based cryptojacking detections followed by the technology sector (46%).
- Host-based cryptojacking accounted for over 75% of all cryptojacking detections; 25% were web-based.
Cryptojacking can occur on a system with or without a user’s knowledge. Read more @Dimensiondata. Tweet this
What’s the impact on businesses?
Cryptojacking malware can cause hardware resources to run at extremely high temperatures, increase energy consumption, harm your hardware, and shorten the lifespan of your systems.
However, the existence of cryptojacking malware in your environment often indicates a larger problem. In the case of cryptojacking mining or custom malware, it likely indicates unpatched vulnerabilities, or that someone in your environment has fallen victim to a phishing attack, allowing an attacker unauthorised access to your network. This is a risk that can’t be overstated – illicit coin miners in your infrastructure were clearly installed via nefarious means, which indicates some level of compromise or vulnerability somewhere within your environment.
Attackers’ motives: it’s all about profit
The motive behind cryptojacking is simple – profit. It’s incredibly lucrative and has a much lower barrier to entry than other vectors.
Additionally, cryptojacking is a very passive method of generating funds. Once an attacker has placed cryptojacking malware in an environment, there’s nothing left for them to do except wait as the cryptocurrency is generated and delivered to their wallet.
Attackers also know that by shifting their focus away from tactics such as ransomware, they can increase the likelihood of being paid. Although they might not get as much as they would in a lump-sum ransomware payment, it tends to be a better option because it allows the attacker to remain undetected for longer.
3 key ways to detect cryptojacking in your environment
- Monitor CPU spikes or above-average CPU usage. Unfortunately, the authors of this malware often use built-in meters to gauge the level of CPU usage, and (by using built-in automation) throttle back their activities for a while, if necessary.
- Enlist the support of a managed security service provider who has the capabilities to detect next-generation threats, and examine their clients’ network activity for any kind of anomalies. If a host has been compromised, that piece of malware may be seeking to download additional payloads or instruction sets, which would also include the illicit coin mining malware.
- Examine the malware on the end-system itself, working with experts to identify behaviours that can be used as intelligence indicators. This will allow you to apply these indicators to other security controls and uplift your overall cyberdefences, in an automated fashion. This also gives you the opportunity to share these insights with intelligence groups, business partners, peers, and other industry bodies.
Cryptojacking malware can cause hardware resources to run at extremely high temperatures, increase energy consumption, harm your hardware, and shorten the lifespan of your systems. Read more @Dimensiondata. Tweet this
Top 8 ways to raise your defences
We believe that a holistic approach that incorporates people, process, and technology is the best way to tackle this scourge:
- Make sure that employees are aware of this type of threat and what to do about it, for example, by not opening suspicious emails and being vigilant about the websites they browse.
- Apply least-privilege controls for user, developer, and application accounts.
- Implement egress and ingress restrictions on your firewall, which helps to ensure only authorised traffic is allowed.
- Limit browser-based cryptomining ─ there are browser plugins available that are designed to help limit the functionality of browser-based cryptomining.
- Deny Stratum protocol usage ─ currently, cryptocurrency mining malware connects to mining pools via the Stratum protocol. Disabling this protocol stops miners before they’ve had a chance to start mining.
- Segregate network environments to stop widespread propagation, but also ensure that the right end-point controls are in place (e.g. anti-virus endpoint detection and response).
- Ensure you have the appropriate remediation processes in place, including swift and comprehensive incident response.
- Use web controls, web security gateways, or web-filtering to stop cryptojacking infections before they happen and to prevent users from downloading additional malicious materials.
1 The Illicit Cryptocurrency Mining Threat, Cyber Threat Alliance, 2018