Cryptojacking: The growing malware menace

Don’t let unauthorized cryptocurrency “miners” steal your company’s computer power — or worse!

Cryptomining — the name itself sounds like it is almost like printing money using your computer. And it just might be for individuals, investors, and others with the right mix of savvy, capital, good timing, and a whole lot of luck.

But cryptojacking — cryptomining via malware and other attack vectors — is a fast-growing threat not just to owners of individual computers and mobile devices, but also to organizations of all types and sizes, putting the security, availability, reliability, and operational costs of their computers and networks at risk.

That makes cryptojacking another threat category to add to your IT security team’s Fight-Us list, alongside a laundry list of threats, including viruses and malware, distributed denial of service (DDoS) attacks, phishing, spyware, hackers, rootkits and ransomware.

Cryptocurrency might be a relatively new form of digital currency, where the uniqueness of each “coin” and transactions involving it rely on encryption, but already it has gained a foothold. Bitcoin, the first cryptocurrency, is barely a decade old yet it holds 36 percent of the cryptocurrency market share, among challengers such as Ethereum, Digital Note, LiteCoin, and Monero, according to the news site CNBC.

Cryptomining refers to the computer-based tasks essential to the operation of a cryptocurrency’s ecosystem, in particular, the blockchain distributed digital journaling of transactions.

“Blockchain is predicated on cryptographic processes that verify each transaction to validate the authenticity of each block of the transaction,” explains Rich Skinner, senior principal in the cybersecurity practice at West Monroe Partners in Chicago. “Cryptomining solves the next block to support transaction authenticity.”

It is important to note that cryptominers are not directly creating or finding the cybermoney. Essentially their computer power is racing against all other cryptominers, large and small, to complete a minimum required amount of activity and be the first to submit a qualifying solution to the arithmetic “puzzle.” The first to solve the puzzle, which can then be confirmed by others, earns the virtual coin.

The cryptomining programs from the various cryptocurrency offerings can be run on any computer, mobile device, and on most other devices that have Internet connectivity, even a small, embedded computer chip. Individuals with a few spare CPU cycles on their PC or mobile device can easily, and legitimately, hop on the cryptomining bandwagon by downloading one of the cryptomining applications, with the caveat that mining coins with a single cell phone or consumer-class computer is like trying to win a Formula 1 road race wearing one roller skate and being towed by a turtle.

Erin Nealy Cox,
U.S. Attorney for the Northern District of Texas

The next step up: buy or build a system that is optimized for cryptomining using either multiple graphic cards (GPUs) or cryptomining-optimized, application-specific integrated circuits (ASICs). Typically these system can cost from $3,000 to $15,000.

There are, of course, third-party services as well. One could simply rent cycles from one of the Cryptomining-as-a-Service cloud offerings or join a “mining pool,” combining your computing resources with other users’ resources. For those with a lot of money, expertise, electric power, and optimized hardware, the largest option is to build a “crypto-farm” — essentially a massive data center with potentially thousands of servers and all of the associated challenges and security issues that come with running a data center. It is useful to note that the mining hardware need not be actually servers — there are published reports of cryptomining farms built using smart phones.

Needless to say, the potentially illegal approach is to steal computer cycles. One nefarious approach is to get direct access to existing computer power on other people’s machines by offering web services, such as games, streaming content, and other services, which run cryptomining web apps on those devices while the application’s tab is open in the user’s browser. One could argue that this is being done with the user’s knowledge and permission, although that does not always turn out to be the case; sometimes the “We’ll mine while you browse” advisory is less than obvious.

One criminal approach is simply to invade insufficiently-protected web browsers, servers, and other devices and steal IT resources to surreptitiously cryptomine.

In it for the money or more

From a practicality viewpoint, if you are doing computer crime for the money rather than non-monetary motives such as ego gratification, proof-of-concept, revenge, political activism, or cyberterrorism, cryptojacking makes a lot of sense.

First, cryptojacking potentially results in obtaining cryptocurrency without the attacker going through risky intermediary steps such as ransom, blackmail, or offering stolen data for sale. Also, the IT resources being stolen might not yet be on the security team’s radar.  Finally, any cryptocurrency “loot” a surreptitious, illegal cryptomine generates is itself legitimate.

One challenge companies face is that the criminal element for mining often has different goals from those who send out malware or conduct other types of cyberattacks.

The problems associated with cryptojacking are widespread, according to law enforcement. “We have started seeing cryptojacking cases become more and more prevalent in our district as cyber criminals find new and more discrete ways of stealing computer power and data, from organizations and individuals,” reports Erin Nealy Cox, U.S. Attorney for the Northern District of Texas.

Not surprisingly, the types and number of cryptojacking attacks have been growing rapidly over the past several years and the number and sophistication of attacks will only get worse, experts warn.

“In itself, cryptocurrency mining is not malicious: the CPU is used to compute mathematical operations,” says Xavier Mertens, a cybersecurity consultant based in Chastre Chastre-Villeroux-Blanmont, Wallonia, Belgium, and a SANS Internet Storm Center Senior Handler. “There is no leak of data, no malicious activity like DDoS, or ransom of data.”

But that is neither an excuse nor a justification; it is, however, an indicator of strategic savvy of a potential attacker.

The goal of cryptojacking is not unlike a traditional advanced persistent threat in that the attacker wants to make it so you do not notice any unusual activity. They do not want to “melt your systems down or use too much, [but rather] keep it at a level where it is effective but not noticeable,” says Roy E. Hadley, Jr., an attorney at Adams and Reese LLP in New Orleans. “You’re seeing some viruses that can control the CPU usage...if they can keep it at a place where you don’t notice it, but it’s effective to them, it can go on for years.”

But not all cryptojacking is subtle or without negative impact.

“You can find 10-90 percent degradation of computing capacity,” notes Hadley.

The experts agree that on mobile devices, cryptojacking can run the battery down in two to three hours and potentially raise the device’s temperature higher than the recommended maximum by more than 40 degrees Fahrenheit — enough to damage the hardware permanently.

“Using more CPU cycles can have nasty side effects,” agrees Mertens, such as “a risk of system overload which can be critical in real-time operations. And for cloud-hosted infrastructures, [there is] the risk of higher bills if CPU cycles are counted in the monthly bill.”

Skinner agrees. For cryptojacking attacks sophisticated enough to evade direct detection, “The net impact to the organization is hidden costs they were not expecting and that can hardly be traced back to the original intrusion,” he says. “Consider this — every CPU cycle requires power consumption that generates heat. An organization impacted by cryptojacking will draw more electricity, increasing heat requiring higher air conditioning usage, also increasing utility costs.”

Cryptojackers typically use the same methods and toolkits as other viruses, malware and other attacks in order to gain access to a corporate network: phishing and other spam email, web malware, malicious URLs, digital advertising networks, and the like. Some attacks are more direct, such as installing a rogue device above an acoustic ceiling tile, or perhaps putting a rogue server under a data center’s raised floor; both approaches have been in the news recently after data center security teams identified insider attacks and tracked down the devices hidden inside the offices of the victimized companies.

“In the beginning cryptominers were delivered like a normal malware,” says Mertens. “They were delivered as a Windows, Linux, [or other] binary that was executed once delivered to the target. Now we saw an increase of cryptomining attacks delivered as JavaScript code and running in the browser. The victim has just to visit a malicious page. I also found recently that some library files, such as an old version of JQuery, were modified and a cryptominer added.”

Tom Henderson, principal researcher at ExtremeLabs, Inc., a systems research and analysis organization in Bloomington, Ind., says that unsecured Docker container images also can get infected by cryptojacking attacks.

Andre McGregor, member,
board of directors, National Cybersecurity Center (NCC);
partner & global head of security, TLDR Capital

Andre McGregor is a member of the board of directors for the National Cybersecurity Center (NCC), a former supervisory special agent at the FBI and now a partner and global head of security at TLDR Capital, a global investment and advisory firm that specializes in blockchain tokenization projects and their interface with public markets. “In my history in the FBI’s cybercrime squads, you tend to have four types of adversaries: people — individuals and groups just trying to find targets of opportunity; criminal organizations — all very organized; nationstate actors; and, although less likely here, cyberterrorists.”

While illegal cryptomining itself might not directly interfere with or damage corporate IT systems, data, operations, or utility bills — the amount of impact can be difficult to determine, experts agree — that does not reduce the security concerns.

Servers make ideal targets, McGregor points out. “Malware wants whatever it infects to maintain persistence, something that will stay on all the time, doesn’t need to get restarted, because the malware may not start back up. Servers are the most ideal as persistent targets because they don’t get restarted often.”

McGregor says that while he was working for the FBI, he saw other questionable uses for this type of software. “People will weaponize other malware, put in other capabilities, [and] might say ‘oh it’s just mining for Monero’ and not worry about what more it may have done.”

But, he adds, “The next iteration of cryptojacking may include tools that could allow for remote access, the capability to do keylogging...the mere fact that there’s a script that can execute and be given privilege to run means it can also do other things.”

Henderson agrees. “The same malware app that downloaded a cryptomining app — often to be unwittingly installed as a browser app/plug-in — can be used as an infection vector/file-loader for other misuses,” he says.

Fighting cryptojacking attacks

There is a lot that organizations can do to combat cryptojacking, much of which, says McGregor, “is part of or easily added to your organization’s current IT security policies, procedures, and tools.”

Rich Skinner,
senior principal, West Monroe Partners

Skinner concurs, noting that “At the end of the day, the basics of information security and basic hygiene of your IT systems are first and foremost the key to having a solid information security strategy and plan.”

Implementing cryptojacking-oriented procedures and tools should be part of every data security set of policies and procedures. These include:

•  Secure web browsers including any plug-ins or extensions. Make sure systems are blocking cryptojacking adware and malware, and check/test browsers (and their plug-ins/ extensions) specifically for cryptomining malware. Some browser vendors have tools that can assist in testing for cryptojacking malware.

•  Consider application and URL whitelisting and blacklisting. Make sure the “block” list includes known/suspected cryptojacking and other cryptocurrency entries.

•  Block cryptojacking “phoning home,” since the mining results have to be sent back to the cryptocurrency’s command-andcontrol (C&C) server. Artificial intelligencebased monitoring might help, since the messages are typically short and do not look like typical malware activity. Deep-packet inspection might be required since the messages could be encrypted.

•  Monitor servers and power distribution units (PDUs), not just CPU activity. Power use, temperature, fan speed, memory use, and drive space usage could indicate cryptojacking in progress.

“The management consoles for most enterprise servers let you configure and monitor alerts, since if any of those factors goes, you lose the server,” says McGregor. In terms of cryptojacking, “Any sudden jumps may indicate an attack has ‘succeeded.’ And anything going to 100% is definitely suspect.”

As with all computer security activity, educate your employees about cryptojacking. “The typical user won’t notice anything until it becomes slow or sluggish,” says McGregor. The National Cybersecurity Center (NCC) is working to improve user awareness abut exceedingly long CPU times, what processes are running that are causing these CPU spikes, and highload CPU processes pointing to a web browser with a malicious tab.

Educating all users is essential; even those who might not work directly with company computers are likely to have a company-owned or personal mobile device, McGregor urges. Cryptojacking education should not be limited to a separate 15- to 20-minute presentation, he notes. “It tends to be part of an IT security awareness presentation that’s typically half a day, covering all cyberthreats — including cryptojacking.”

Preparing for the inevitable

“Organizations should start planning for potential cryptojacking incidents now and walking through different threat vectors and scenarios across the organization,” urges Skinner. “We highly recommend conducting tabletop exercises, and having a formalized incident response and incident recovery plans available to be leveraged across the enterprise.”

He also suggests that CISOs be ready to reach out to various law enforcement agencies if and when a breach occurs. “We also highly recommend you know your law enforcement community and have relationships or points of contact if you need them.  This should be proactive and part of your overall strategy and should include the U.S. Secret Service, FBI, and state [and] local law enforcement. External legal counsel and [public relations and] media firms should be identified as part of these tabletop exercises as well.”

In particular, Skinner says, “The SEC requires publicly-traded companies to report any cyberattack or event. This includes cryptomining, not just demands for money, or theft of customer data. On the other hand, for hospitals, HIPAA (Health Insurance Portability and Accountability Act) applies when patient data has been compromised, and cryptojacking does not necessarily mean that data has been exfiltrated — you need a forensic and legal team to look for that and to make a determination if the data was compromised, whether or not it was exfiltrated.

Discovering cryptojacking must be considered as a security incident, and handled as one, adds consultant Mertens. “Nobody really knows the scope and scale of cryptojacking. Big companies that have sophisticated systems will try to block and mitigate. Smaller companies will always be at greater risk, because they don’t have the systems or people to detect the problem. If a cryptojacker can keep their illegal cryptomining activity to where it isn’t impacting day-to-day operations, many companies won’t notice it’s occurring.”

An essential part of finding and stopping any cyberbreach is how the company and all of its employees internalize security. “Have a culture of security,” says attorney Hadley. “Don’t just be looking for specific things. Be like a doctor looking at a patient’s big picture and monitor your systems for unusual activities at the processor level; watch for unusual data inflow and outflow.”

And on the off chance that you are not already doing full on-and-off-site backups of data along with system images, the experts agree, start doing that.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.