Cryptojacking: It’s Here, Get Used to It

Put your hand on your PC. Does it feel warmer than usual? If it does, that might be your only way of knowing it is mining cryptocurrency for a bad actor on the other side of the globe. Cryptojacking – the unauthorized use of a system to mine cryptocurrency -- has taken off in the past 12 months because it is both simple and, given high cryptocurrency valuations, profitable. According to Rob Westervelt, research director at IDC, cryptomining has generated hundreds of millions of dollars of illicit earnings. Chances are, it will earn far more. 

The first cryptojacking efforts were browser-based Javascript exploits that gained traction rapidly, fueling an 8500 percent increase in cryptojacking last year, according to the most recent Symantec Internet Security Threat Report. The findings are based in part on the ability of Symantec’s own technology to block cryptojacking signatures and identify cryptomining activity through network protection technology. In December 2017, Symantec blocked 9 million attacks, according to Kevin Haley, director, product management for security response at Symantec. 

Most cryptojacking schemes use the Coinhive Javascript and the Monero cryptocurrency, which is designed for consumer-grade microprocessors. Monero does not create a public ledger as does Bitcoin, which makes it virtually untraceable. However, Javascript can be readily blocked by a number of widely available tools. 

In response, cryptojackers have upped their game by perpetrating more sophisticated malware-style attacks in recent months. In June 2018, an attack was discovered codenamed “Operation Prowli,” which relied on a variety of exploits. One was Secure Shell (SSH) brute forcing to initiate cryptocurrency mining. Another was redirecting web traffic for the purpose of monetization fraud. The relentlessness of cryptojackers is reflected in recent figures.   

In January 2018, researchers discovered the Smominru crypto mining botnet, which infected more than a half-million machines, mostly in Russia, India, and Taiwan. The botnet targeted Windows servers to mine Monero, and cyber security firm Proofpoint estimated that it had generated as much as $3.6 million in value as of the end of January.

In May 2018, Monero-mining malware called WinstarNssmMiner infected half a million computers in three days. The malware was particularly nasty because it crashed users’ systems if the presence of certain antivirus software was detected. 

In June 2018, Japanese authorities announced the arrests of 16 persons suspected of mining cryptocurrency without users’ permission. All but one had installed Coinhive software on the unsuspecting users’ systems. The remaining suspect installed a homegrown miner similar to Coinhive. Although the most that any of the suspects gained was small (120,000 yen, or $1,100), the fact that the suspects had not asked for permission prompted the authorities to act. 

In February, employees at a nuclear weapons technology research center in Sarov, Russian Federation were arrested for surreptitiously using the center’s computers to mine cryptocurrency. 

But thanks to increasing sophistication and stealthier attacks, arrests are rare. Smart cryptojackers are deploying lightweight mining algorithms that utilize enough resources to mine cryptocurrency, but not so much as to attract the notice of the victim by overheating a PC or slowing performance. “If the miner uses 100% of your system resources, you’ll know something is wrong with your computer,” said Haley. To keep a low profile, IDC’s Westervelt says attackers who utilize botnets for cryptojacking are likely to refrain from other activities that might attract attention, such as data exfiltration and credential theft. 

Because they might earn only a small amount of cryptocurrency from each compromised system, skilled perpetrators must devise methods to access a large number of machines, so that their efforts yield them a profit. 

“The people who are learning lessons and improving what they do are the ones that are remaining. What you’re seeing here is professionalization. If you are not really good at mining, you’re not going to make any money,” Haley said.  

As attacks become more sophisticated, the preventive measures you take should escalate as well. Experts advise administrators to monitor website activity and use a web application firewall, anti-bot software and other security tools such as next-gen firewalls and intrusion prevention systems. 

Also, administrators should monitor servers and endpoint devices for unusual activity – including whether they are running hotter than they should. Any cryptomining software that’s found should be a warning flag for additional malicious activity. Rather than just removing the malicious code, organizations should conduct root-cause analysis to identify how the software was installed and take steps to prevent repeat attacks.   

“I expect this to continue to be an annoyance,” Westervelt predicted but cautioned against making the cure worse than the disease, since ad blocking and anti-crypto-mining browser extensions might themselves degrade end-user performance. “Enterprise IT teams should test them thoroughly and consider any disruption that they might cause to end users when browsing or accessing custom applications,” he said.

If you found this information useful, you may also enjoy:

• Tallying Up the Hidden Costs of Cryptomining Malware
• Coinminer protection and removal with Symantec Endpoint Protection
• Why cryptocurrency mining malware is the new ransomware