Nov 30 2017

How Cryptojacking Could Harm Your IT Environment

Malicious online actors can infect your organization’s computers with malware, turning them into cryptomining machines hunting for bitcoin and wasting energy in the process.

The price of bitcoin, the most popular cryptocurrency, keeps zooming higher, having surged more than 1,000 percent since the start of the year, and briefly topping $11,000 on Nov. 29.

The bull market around bitcoin means that the digital currency is in high demand, pushing many who are bitcoin investors or traders to “mine” for the currency. However, a new phenomenon has been springing up in the past few weeks that indicates a dark side to the digital currency boom, known as “cryptojacking.”

If a user visits an infected website, malicious actors will instantly start running a piece of JavaScript code that will surreptitiously turn the user’s web browser into a cryptocurrency mining machine, without the user even knowing it. Doing this not only infects the user’s computer with malware, but also can lead to groups of computers being turned into botnets to mine cryptocurrency. And, to top it all off, these cryptojacking attacks drain a computer’s CPU resources and waste energy.

While there is no single way to prevent such attacks, organizations can take steps to defend themselves, according to cybersecurity firm Trend Micro. Those include regularly updating devices with the latest software patches; changing or strengthening the device’s default credentials; using intrusion detection and prevention systems; and being cautious about clicking on suspicious links or attachments.

SIGN UP: Get more news from the BizTech newsletter in your inbox every two weeks!

How Does Cryptomining Work?

As Kevin Huang, a threat analyst at Trend Micro, notes in a company blog post, cryptocurrency is an encrypted data string that denotes a unit of currency, and there are more than 700 of them, though only some are easily traded. Bitcoin is the most popular of them all.

There are many positives to cryptocurrencies, Huang notes, including that “anyone can send them anytime, anywhere, without delays or additional/hidden charges from intermediaries.” Further, he adds, “given their nature, they are more secure from fraud and identity theft as cryptocurrencies cannot be counterfeited, and personal information is behind a cryptographic wall.”

However, Huang says, “the same apparent profitability, convenience and pseudonymity of cryptocurrencies also made them ideal for cybercriminals, as ransomware operators showed. The increasing popularity of cryptocurrencies coincide with the incidences of malware that infect systems and devices, turning them into armies of cryptocurrency-mining machines.”

Cryptocurrency mining, or cryptomining, consumes a lot of IT resources from dedicated processors, graphics cards and other hardware, according to Huang. And while mining does generate money, the profit is relatively small compared to a miner’s investment in the hardware, not to mention the electricity costs to power the operation, Huang says.

The process can be difficult and time-consuming. “Cryptocurrencies are mined in blocks; in bitcoin, for instance, each time a certain number of hashes are solved, the number of bitcoins that can be awarded to the miner per block is halved,” Huang says. “Since the bitcoin network is designed to generate the cryptocurrency every 10 minutes, the difficulty of solving another hash is adjusted. And as mining power increases, the resource requirement for mining a new block piles up.”

However, malware helps malicious miners get around these challenges, Huang notes. Indeed, they can turn groups of infected computers into botnets that make mining easier. Malicious actors have been using malware to do so as far back as 2011, according to Trend Micro.

“This year’s notable cryptocurrency-mining malware so far are Adylkuzz, CPUMiner/EternalMiner, and Linux.MulDrop.14. All exploit vulnerabilities,” Huang wrote in July. “Adylkuzz leverages EternalBlue, the same security flaw that WannaCry ransomware used to destructive effect, while CPUMiner/EternalMiner used SambaCry, a vulnerability in interoperability software suite Samba. Linux.MulDrop.14, a Linux Trojan, targets Raspberry Pi devices. These threats infected devices and machines and turned them into Monero-mining botnets.”

What Is Different with Cryptojacking?

Indeed, as Wired reported in October, while malicious miners aren’t new in themselves, cryptojacking “has exploded in popularity over the past few weeks, because it offers a clever twist.”

Instead of having to inject a piece of malware onto a system through a user clicking on a link or attachment, cryptojacking “uses Javascript to start working instantly when you load a compromised web page. There's no immediate way to tell that the page has a hidden mining component, and you may not even notice any impact on performance, but someone has hijacked your devices — and electric bill — for digital profit.”

Earlier this month, an independent security researcher named Willem de Groot, documented almost 2,500 e-commerce sites “that are actively running cryptocurrency mining code in the browsers of unsuspecting visitors, a finding that suggests the unethical and possibly illegal practice has only picked up steam since it came to light a few weeks ago,” Ars Technica reports.

The websites are running out-of-date software with known security vulnerabilities, according to de Groot, which attackers exploit to gain control. Then, he told Ars Technica, they use code that “surreptitiously harnesses the CPUs and electricity of visitors to generate the digital currency known as Monero. About 80 percent of those sites, he added, also contain other types of malware that can steal visitors' payment card details.”

Another downside of cryptojacking is that it forces victims to waste energy powering cryptomining operations. For example, according to Motherboard, each bitcoin transfer represents “enough energy to run a comfortable house, and everything in it, for nearly a week,” meaning that cryptojacking victims could be running up huge electricity bills for their organizations.

Wired reports that these types of attacks “have been discovered in compromised sites’ source code by users — including security researcher Troy Mursch — who notice their processor load spiking dramatically after navigating to cryptojacked pages.”

According to a blog post earlier this month from Mursch, cryptojacking malware known as Coinhive has been found at least 30,000 websites.

How to Protect Yourself from Cryptojacking

Wired notes that users and network administrators can “add sites you’re worried about, or ones that you know practice in-browser mining, to your browser’s ad blocking tool.” Google’s Chrome browser also supports an extension called No Coin, created by developer Rafael Keramidas, which blocks cryptojacking from Coinhive and is adding protection against other miners as well.

Huang, of Trend Micro, says that organizations should regularly patch devices, which “helps prevent attackers from using vulnerabilities as doorways into the systems.” He also suggested that they change default login credentials to make devices less susceptible to unauthorized access, enable firewalls on home routers and use intrusion detection and prevention systems to mitigate incursion attempts.

Critically, as always, users should take caution “against known attack vectors: socially engineered links, attachments or files from suspicious websites, dubious third-party software/applications and unsolicited emails.”

IT and system administrators and information security professionals can also “consider application whitelisting or similar security mechanisms that prevent suspicious executables from running or installing,” Huang says.

bodnarchuk/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT