Put your hand on your PC. Does it feel warmer than usual? If it does, that might be your only way of knowing it is mining cryptocurrency for a bad actor on the other side of the globe. Cryptojacking – the unauthorized use of a system to mine cryptocurrency -- has taken off in the past 12 months because it is both simple and, given high cryptocurrency valuations, profitable. According to Rob Westervelt, research director at IDC, cryptomining has generated hundreds of millions of dollars of illicit earnings. Chances are, it will earn far more.
In response, cryptojackers have upped their game by perpetrating more sophisticated malware-style attacks in recent months. In June 2018, an attack was discovered codenamed “Operation Prowli,” which relied on a variety of exploits. One was Secure Shell (SSH) brute forcing to initiate cryptocurrency mining. Another was redirecting web traffic for the purpose of monetization fraud. The relentlessness of cryptojackers is reflected in recent figures.
Smart cryptojackers are deploying lightweight mining algorithms that utilize enough resources to mine cryptocurrency, but not so much as to attract the notice of the victim by overheating a PC or slowing performance.
In January 2018, researchers discovered the Smominru crypto mining botnet, which infected more than a half-million machines, mostly in Russia, India, and Taiwan. The botnet targeted Windows servers to mine Monero, and cyber security firm Proofpoint estimated that it had generated as much as $3.6 million in value as of the end of January.
In May 2018, Monero-mining malware called WinstarNssmMiner infected half a million computers in three days. The malware was particularly nasty because it crashed users’ systems if the presence of certain antivirus software was detected.
In June 2018, Japanese authorities announced the arrests of 16 persons suspected of mining cryptocurrency without users’ permission. All but one had installed Coinhive software on the unsuspecting users’ systems. The remaining suspect installed a homegrown miner similar to Coinhive. Although the most that any of the suspects gained was small (120,000 yen, or $1,100), the fact that the suspects had not asked for permission prompted the authorities to act.
In February, employees at a nuclear weapons technology research center in Sarov, Russian Federation were arrested for surreptitiously using the center’s computers to mine cryptocurrency.
But thanks to increasing sophistication and stealthier attacks, arrests are rare. Smart cryptojackers are deploying lightweight mining algorithms that utilize enough resources to mine cryptocurrency, but not so much as to attract the notice of the victim by overheating a PC or slowing performance. “If the miner uses 100% of your system resources, you’ll know something is wrong with your computer,” said Haley. To keep a low profile, IDC’s Westervelt says attackers who utilize botnets for cryptojacking are likely to refrain from other activities that might attract attention, such as data exfiltration and credential theft.
Because they might earn only a small amount of cryptocurrency from each compromised system, skilled perpetrators must devise methods to access a large number of machines, so that their efforts yield them a profit.
“The people who are learning lessons and improving what they do are the ones that are remaining. What you’re seeing here is professionalization. If you are not really good at mining, you’re not going to make any money,” Haley said.
As attacks become more sophisticated, the preventive measures you take should escalate as well. Experts advise administrators to monitor website activity and use a web application firewall, anti-bot software and other security tools such as next-gen firewalls and intrusion prevention systems.
Also, administrators should monitor servers and endpoint devices for unusual activity – including whether they are running hotter than they should. Any cryptomining software that’s found should be a warning flag for additional malicious activity. Rather than just removing the malicious code, organizations should conduct root-cause analysis to identify how the software was installed and take steps to prevent repeat attacks.
“I expect this to continue to be an annoyance,” Westervelt predicted but cautioned against making the cure worse than the disease, since ad blocking and anti-crypto-mining browser extensions might themselves degrade end-user performance. “Enterprise IT teams should test them thoroughly and consider any disruption that they might cause to end users when browsing or accessing custom applications,” he said.
If you found this information useful, you may also enjoy:
We encourage you to share your thoughts on your favorite social platform.