It’s hard to know who tracks the value of cryptocurrencies more closely. Is it the investors who own the virtual coins, or the criminals who hijack computing power to mine them?
For their part, the criminals clearly do follow cryptocurrency values. Symantec, as detailed in its annual Internet Security Threat Report (ISTR), tracked a decline in cryptojacking activity during the course of 2018, a period during which the high values cryptocurrencies reached in late 2017 gradually came down to earth.
But what is cryptojacking? In essence, it’s the process of secretly commandeering the processing power of tens, hundreds or thousands of victims’ computers and using them to collectively perform cryptocurrency mining operations. If those mining efforts successfully solve the mathematical puzzles required to validate cryptocurrency transactions, the criminal miners receive payments in the form of new crypto coins.
Cryptojacking can occur via two distinct forms of attack. In one, attackers use spear phishing or other ploys in an attempt to infect a user’s computer with cryptojacking malware. Once infected, some of the computer’s resources will be redirected to perform cryptomining behind the scenes. Users often will have no indication anything is wrong, other than perhaps experiencing unusually sluggish computing operations.
A second approach – and the one Symantec says was the most common last year – is for attackers to infect websites with cryptojacking malware. When a user visits the site, his or her computer is surreptitiously enlisted in the cryptomining cause. Often, even when the user attempts to close the website, the session remains secretly active in a window that may be hidden behind a taskbar or in some other location.
According to the ISTR, cryptojacking activity peaked in late 2017 and early 2018, a period when cryptocurrency values were at or near record highs. From December 2017 through February 2018, Symantec blocked approximately 8 million cryptojacking events each month.
That number fell – along with the value of cryptocurrencies – to 3.5 million in December 2018. Still, during the course of the full year, Symantec blocked nearly 69 million cryptojacking events, compared to only 16 million such events blocked during all of 2017.
Enterprises need to worry about cryptojacking exploits as much as – or more than – individual computer users.
Despite its high profile as the first cryptocurrency, Bitcoin isn’t typically a target of cryptojacking operations. As the Bitcoin community has grown, the mathematical operations required to perform cryptomining have become exceedingly complex. “Bitcoin mining requires far too much processing power and energy,” says Brigid O’Gorman, a senior information developer with Symantec Security Response. “It can’t be mined with regular computers, and generally requires specialized hardware.”
One of the more troubling trends that emerged last year was the adoption by some cryptojacking scripts of the same NSA-originated Eternal Blue code that formed the core of the infamous WannaCry ransomware attacks. WannaMine cryptojacking malware, for example, can use Eternal Blue to spread laterally through the servers on enterprise networks. Infected devices can become unusable due to the heavy diversion of their CPU resources, Symantec reports.
Along with being a cryptojacking exploit, WannaMine (MSH.Bluwimps) is yet another example of a living off the land attack. Its script executes in the ubiquitous PowerShell, making it difficult to identify and eradicate.
In February 2018, during the period of high cyber currency values, researchers identified a cryptojacking attack that had successfully leveraged Eternal Blue to infect more than 500,000 machines. Dubbed Smominru, the crypto miner botnet – which had initially launched its attack in May 2017 – reportedly made its owners more than $3.5 million.
Clearly, enterprises need to worry about cryptojacking exploits as much as – or more than – individual computer users. Ironically, one of the best ways to counter such attacks is to simply install security patches as they become available. For example, Microsoft issued a patch designed to block WannaMine in March 2017, yet many organizations have yet to install the patch on their Windows servers.
Cryptojacking activity is likely to continue to fluctuate in rough synchronicity with the value of the cryptocurrencies targeted. As Symantec notes in its ISTR, however, this exploit’s low barrier of entry and anonymity likely means that “cryptojacking is an area that will continue to have a role in the cyber crime landscape.”