Cryptojacking, a lower cost and more profitable alternative to ransomware, remains an underestimated form of cyber-attack.
In this blog post, we outline why companies need to stay vigilant and what they can do to defend themselves.
What is cryptojacking?
Cryptojacking is a form of cyber-attack in which malware is secretly installed onto unsuspecting hosts in order to harness computer processing power for the purpose of mining cryptocurrency, which is then transferred to an attacker’s digital wallet.
Unlike other forms of cyber-attack, cryptojacking does not seek to cause damage to systems or steal data, but it is far from a victimless crime. Rather than simply being about mining cryptocurrency, it is a mass theft of resources which can disable your antivirus and open up secured ports in order to communicate with its command and control infrastructure. Cryptojacking can also create a powerful diversion for more complex attacks such as data exfiltration, keylogging and even credit card skimming.
Infected systems will experience potentially significant reductions in performance but it will rarely be clear what has caused the issue, and in many cases malicious scripts will persist indefinitely.
How does cryptojacking work?
Criminals utilise a number of methods to install crypto-mining code on users’ computers. The two most common attack vectors are phishing and browser-based script injection.
Phishing tactics
By using traditional phishing tactics to lure unsuspecting victims to click malicious links in emails, attackers are able to install cryptojacking malware such as Coinminer and XMRig directly onto computer memory. Malicious scripts then continuously mine cryptocurrency in the background.
Script injecting
Browser-based or in-browser cryptojacking tools inject scripts into popular websites or advertisements delivered to multiple domains. A well-known threat of this type was Coinhive, the Monero mining service, which was shut down in 2019.
These sites and ads will automatically execute JavaScript code in victims’ browsers, utilising their CPU power for the duration of their visit. The attacks target sites with multiple concurrent users and long average session durations, including image boards and streaming sites, to keep malicious scripts running for as long as possible.
Botnet operators incorporate cryptojacking into their existing arsenals and target both cloud and on-premise servers to extend computing power and maximise revenues. Smartphones are also targeted. In 2018, Apple banned cryptomining apps on iOS to prevent the risks of these types of attacks.
By using traditional phishing tactics to lure unsuspecting victims to click malicious links in emails, attackers are able to install cryptojacking malware such as Coinminer and XMRig directly onto computer memory. Malicious scripts then continuously mine cryptocurrency in the background.
Browser-based or in-browser cryptojacking tools such as Coinhive inject scripts into popular websites or advertisements delivered to multiple domains. These sites and ads will automatically execute JavaScript code in victims’ browsers, utilising their CPU power for the duration of their visit. These attacks target sites with multiple concurrent users and long average session durations, including image boards and streaming sites, to keep malicious scripts running for as long as possible.
Botnet operators are increasingly incorporating cryptojacking into their existing arsenals and targeting both cloud and on-premise servers to extend computing power and maximise revenues. Smartphones are also being targeted, for example by the Android worm ADB Miner. Apple recently went as far as banning cryptomining apps on iOS to prevent attackers from taking advantage.
The economics of cryptojacking
As the most popular and valuable cryptocurrency on the market, Bitcoin might seem like the obvious choice for hackers. This, however, is not the case, with the vast majority of attacks mining the open-source cryptocurrency, Monero. Recent research has found that the level of illicit cryptocurrency mining is closely aligned with the value of Monero. The research also found that the volume of illicit mining detected in the wild increased in line with the rising value of Monero.
The primary reason for this is CPU-friendliness – while Bitcoin’s mining algorithm requires a specialised ASIC setup and significant computing power, Monero can be mined using any computer or smartphone. Monero also obfuscates its transactions and anonymises wallet addresses, making it even harder to track than other cryptocurrencies.
The attacks themselves are neither difficult nor expensive. Cryptojacking kits are available on the dark web for as little as £20 and do not require significant technical skills to utilise. Using basic means, cybercriminals can launch attacks that go under the radar and create a continuous stream of revenue almost instantly. Just one example of this is the discovery by researchers that the Smominru botnet had infected over half a million machines and generated over £3.5 million in January 2018 alone.
The continued cryptojacking threat
In terms of impact, 2017 and 2018 were acknowledged as two of the most significant years to date for cryptojacking. Since then, it has become a rather underestimated cyber threat, though it certainly hasn’t gone away. Research suggests that cryptocurrency miners were the most common malware family last year, with no less than 74,490 threats detected in the first half of 2021. Security researchers have also found that cryptojacking is currently one of the most commonly discussed methods of stealing or mining for cryptocurrency mentioned in cybercriminal forums.
More recent cryptojacking threats include the Prometei cryptocurrency botnet which exploits Microsoft Exchange vulnerability. While it’s not strictly new, it was recently discovered to be exploiting Microsoft Exchange vulnerabilities used in the Hafnium attacks to deploy malware and harvest credentials and then utilising the infected devices to mine Monero.
Another cryptojacking botnet has been found to be targeting Microsoft Exchange servers in North America via ProxyLogon. Named Lemon Duck, it uses the ProxyLogon group of exploits and has also added the Cobalt Strike attack framework into its malware toolkit and enhanced its anti-detection capabilities.
Whatever form it takes, ease of execution, scalability and anonymity makes cryptojacking a particularly appealing attack technique for hackers. As long as cryptocurrencies maintain their value, cryptojacking is likely to continue. With individuals and enterprises alike being targeted, having an understanding of what to look out for and how to tackle it is essential.
Key signs of cryptojacking
Signs that your organisation is being affected by cryptojacking include:
- A noticeable decrease in device performance or systems operating more slowly. Look out for devices crashing, running slowly or performing unusually poorly. Also watch out for device batteries draining more quickly than usual.
- Overheating device batteries – a laptop or computer fan running faster than usual can be a sign of cryptojacking.
- An increase in Central Processing Unit (CPU) usage or even devices shutting down because of a lack of available processing power when on a website with little or no media content.
- Unexpected increases in electricity costs
How can you protect your business from cryptojacking?
Organisations should take some key steps to reduce the potential costs and disruption of cryptojacking:
1. Security awareness training – Employees should be made aware of the dangers of phishing-based attacks and informed about the latest cryptojacking trends as part of training exercises. They should also be encouraged to report slow computers and devices for further investigation.
2. Ad-blockers – Web browsers should have ad-blocking software installed and be regularly patched in order to block known cryptomining scripts.
3. FIM – File integrity monitoring can help organisations to identify deviations from a ‘known good’ baseline, to detect unauthorised file changes that could indicate a cryptojacking attack.
3. Network monitoring – It is essential to build the capability to proactively monitor cloud and on-premise environments to detect malicious activity in its infancy. Implementing technologies like SIEM, vulnerability scanning and behavioural monitoring is critical to this approach, but it also requires round-the-clock attention from certified security experts armed with the intelligence to identify cryptojacking attempts before it’s too late.
4. Endpoint protection – Crypto-mining code can hide from traditional signature-based detection approaches so organisations need advanced endpoint tools like NGAV and EDR to maximise endpoint visibility and gather the information needed to isolate and shut down attacks.
5. MDM – Organisations should implement a mobile device management policy to better control the devices, applications and extensions used by employees, and prevent the spread of mobile-focused cryptomalware.
About Redscan
Redscan is an award-winning provider of managed security services, specialising in threat detection and integrated incident response.
Possessing a deep knowledge of offensive security, Redscan’s experts are among the most qualified in the industry, working as an extension of clients’ in-house resources to expose and address vulnerabilities plus swiftly identify and shut down breaches. Services offered include: CREST Pen Testing, Red Teaming and Managed Detection and Response.