Cryptojacking: The growing malware menace

Don’t let unauthorized cryptocurrency “miners” steal your company’s computer power — or worse!

Cryptomining — the name itself sounds like it is almost like
printing money using your computer. And it just might be for individuals,
investors, and others with the right mix of savvy, capital, good timing, and a
whole lot of luck.

But cryptojacking — cryptomining via malware and other
attack vectors — is a fast-growing threat not just to owners of individual
computers and mobile devices, but also to organizations of all types and sizes,
putting the security, availability, reliability, and operational costs of their
computers and networks at risk.

That makes cryptojacking another threat category to add to
your IT security team’s Fight-Us list, alongside a laundry list of threats,
including viruses and malware, distributed denial of service (DDoS) attacks, phishing,
spyware, hackers, rootkits and ransomware.

Cryptocurrency might be a relatively new form of digital
currency, where the uniqueness of each “coin” and transactions involving it
rely on encryption, but already it has gained a foothold. Bitcoin, the first
cryptocurrency, is barely a decade old yet it holds 36 percent of the
cryptocurrency market share, among challengers such as Ethereum, Digital Note,
LiteCoin, and Monero, according to the news site CNBC.

Cryptomining refers to the computerbased tasks essential to
the operation of a cryptocurrency’s ecosystem, in particular, the blockchain
distributed digital journaling of transactions.

“Blockchain is predicated on cryptographic processes that
verify each transaction to validate the authenticity of each block of the
transaction,” explains Rich Skinner, senior principal in the cybersecurity
practice at West Monroe Partners in Chicago. “Cryptomining solves the next
block to support transaction authenticity.”

It is important to note that cryptominers are not directly
creating or finding the cybermoney. Essentially their computer power is racing
against all other cryptominers, large and small, to complete a minimum required
amount of activity and be the first to submit a qualifying solution to the
arithmetic “puzzle.” The first to solve the puzzle, which can then be confirmed
by others, earns the virtual coin.

The cryptomining programs from the various cryptocurrency
offerings can be run on any computer, mobile device, and on most other devices
that have Internet connectivity, even a small, embedded computer chip.
Individuals with a few spare CPU cycles on their PC or mobile device can
easily, and legitimately, hop on the cryptomining bandwagon by downloading one
of the cryptomining applications, with the caveat that mining coins with a
single cell phone or consumer-class computer is like trying to win a Formula 1
road race wearing one roller skate and being towed by a turtle.

The next step up: buy or build a system that is optimized
for cryptomining using either multiple graphic cards (GPUs) or
cryptomining-optimized, application-specific integrated circuits (ASICs).
Typically these system can cost from $3,000 to $15,000.

There are, of course, third-party services as well. One
could simply rent cycles from one of the Cryptominingas-a-Service cloud
offerings or join a “mining pool,” combining your computing resources with
other users’ resources. For those with a lot of money, expertise, electric
power, and optimized hardware, the largest option is to build a “crypto-farm” —
essentially a massive data center with potentially thousands of servers and all
of the associated challenges and security issues that come with running a data
center. It is useful to note that the mining hardware need not be actually
servers — there are published reports of cryptomining farms built using smart
phones.

Needless to say, the potentially illegal approach is to
steal computer cycles. One nefarious approach is to get direct access to
existing computer power on other people’s machines by offering web services,
such as games, streaming content, and other services, which run cryptomining
web apps on those devices while the application’s tab is open in the user’s
browser. One could argue that this is being done with the user’s knowledge and permission,
although that does not always turn out to be the case; sometimes the “We’ll
mine while you browse” advisory is less than obvious.

One criminal approach is simply to invade
insufficiently-protected web browsers, servers, and other devices and steal IT
resources to surreptitiously cryptomine.

In it for the money or more

From a
practicality viewpoint, if you are doing computer crime for the money rather
than non-monetary motives such as ego gratification, proof-of-concept, revenge,
political activism, or cyberterrorism, cryptojacking makes a lot of sense.

First,
cryptojacking potentially results in obtaining cryptocurrency without the attacker
going through risky intermediary steps such as ransom, blackmail, or offering
stolen data for sale. Also, the IT resources being stolen might not yet be on
the security team’s radar.  Finally, any
cryptocurrency “loot” a surreptitious, illegal cryptomine generates is itself
legitimate.

One
challenge companies face is that the criminal element for mining often has
different goals from those who send out malware or conduct other types of
cyberattacks.

The problems
associated with cryptojacking is widespread, according to law enforcement. “We
have started seeing cryptojacking cases become more and more prevalent in our
district as cyber criminals find new and more discrete ways of stealing
computer power and data, from organizations and individuals,” reports Erin
Nealy Cox, U.S. Attorney for the Northern District of Texas.

Not
surprisingly, the types and number of cryptojacking attacks have been growing
rapidly over the past several years and the number and sophistication of
attacks will only get worse, experts warn.

“In itself, cryptocurrency mining is not malicious: the CPU
is used to compute mathematical operations,” says Xavier Mertens, a
cybersecurity consultant based in Chastre Chastre-Villeroux-Blanmont, Wallonia,
Belgium, and a SANS Internet Storm Center Senior Handler. “There is no leak of
data, no malicious activity like DDoS, or ransom of data.”

But that is neither an excuse nor a justification; it is,
however, an indicator of strategic savvy of a potential attacker.

The goal of cryptojacking is not unlike a traditional
advanced persistent threat in that the attacker wants to make it so you do not
notice any unusual activity. They do not want to “melt your systems down or use
too much, [but rather] keep it at a level where it is effective but not
noticeable,” says Roy E. Hadley, Jr., an attorney at Adams and Reese LLP in New
Orleans. “You’re seeing some viruses that can control the CPU usage…if they
can keep it at a place where you don’t notice it, but it’s effective to them,
it can go on for years.”

But not all cryptojacking is subtle or without negative
impact.

“You can find 10-90 percent degradation of computing
capacity,” notes Hadley.

The experts agree that on mobile devices, cryptojacking can
run the battery down in two to three hours and potentially raise the device’s
temperature higher than the recommended maximum by more than 40 degrees
Fahrenheit — enough to damage the hardware permanently.

“Using more CPU cycles can have nasty side effects,” agrees
Mertens, such as “a risk of system overload which can be critical in real-time
operations. And for cloud-hosted infrastructures, [there is] the risk of higher
bills if CPU cycles are counted in the monthly bill.”

Skinner agrees. For cryptojacking attacks sophisticated
enough to evade direct detection, “The net impact to the organization is hidden
costs they were not expecting and that can hardly be traced back to the
original intrusion,” he says. “Consider this — every CPU cycle requires power
consumption that generates heat. An organization impacted by cryptojacking will
draw more electricity, increasing heat requiring higher air conditioning usage,
also increasing utility costs.”

Cryptojackers typically use the same methods and toolkits as
other viruses, malware and other attacks in order to gain access to a corporate
network: phishing and other spam email, web malware, malicious URLs, digital
advertising networks, and the like. Some attacks are more direct, such as
installing a rogue device above an acoustic ceiling tile, or perhaps putting a
rogue server under a data center’s raised floor; both approaches have been in
the news recently after data center security teams identified insider attacks
and tracked down the devices hidden inside the offices of the victimized
companies.

“In the beginning cryptominers were delivered like a normal
malware,” says Mertens. “They were delivered as a Windows, Linux, [or other]
binary that was executed once delivered to the target. Now we saw an increase
of cryptomining attacks delivered as JavaScript code and running in the
browser. The victim has just to visit a malicious page. I also found recently
that some library files, such as an old version of JQuery, were modified and a
cryptominer added.”

Tom Henderson, principal researcher at ExtremeLabs, Inc., a
systems research and analysis organization in Bloomington, Ind., says that
unsecured Docker container images also can get infected by cryptojacking
attacks.

Andre McGregor is a member of the board of directors for the
National Cybersecurity Center (NCC), a former supervisory special agent at the
FBI and now a partner and global head of security at TLDR Capital, a global
investment and advisory firm that specializes in blockchain tokenization
projects and their interface with public markets. “In my history in the FBI’s
cybercrime squads, you tend to have four types of adversaries: people —
individuals and groups just trying to find targets of opportunity; criminal
organizations — all very organized; nationstate actors; and, although less
likely here, cyberterrorists.”

While illegal cryptomining itself might not directly
interfere with or damage corporate IT systems, data, operations, or utility
bills — the amount of impact can be difficult to determine, experts agree —
that does not reduce the security concerns.

Servers make ideal targets, McGregor points out. “Malware
wants whatever it infects to maintain persistence, something that will stay on
all the time, doesn’t need to get restarted, because the malware may not start
back up. Servers are the most ideal as persistent targets because they don’t
get restarted often.”

McGregor says that while he was working for the FBI, he saw
other questionable uses for this type of software. “People will weaponize other
malware, put in other capabilities, [and] might say ‘oh it’s just mining for
Monero’ and not worry about what more it may have done.”

But, he adds, “The next iteration of cryptojacking may
include tools that could allow for remote access, the capability to do
keylogging…the mere fact that there’s a script that can execute and be given
privilege to run means it can also do other things.”

Henderson agrees. “The same malware app that downloaded a
cryptomining app — often to be unwittingly installed as a browser app/plug-in —
can be used as an infection vector/file-loader for other misuses,” he says.

Fighting cryptojacking attacks

There is a
lot that organizations can do to combat cryptojacking, much of which, says McGregor,
“is part of or easily added to your organization’s current IT security
policies, procedures, and tools.”

Skinner
concurs, noting that “At the end of the day, the basics of information security
and basic hygiene of your IT systems are first and foremost the key to having a
solid information security strategy and plan.”

Implementing
cryptojacking-oriented procedures and tools should be part of every data
security set of policies and procedures. These include:

•  Secure web browsers including any plug-ins or
extensions. Make sure systems are blocking cryptojacking adware and malware,
and check/test browsers (and their plug-ins/ extensions) specifically for
cryptomining malware. Some browser vendors have tools that can assist in
testing for cryptojacking malware.

•  Consider application and URL whitelisting and
blacklisting. Make sure the “block” list includes known/suspected cryptojacking
and other cryptocurrency entries.

•  Block cryptojacking “phoning home,” since the
mining results have to be sent back to the cryptocurrency’s command-andcontrol
(C&C) server. Artificial intelligencebased monitoring might help, since the
messages are typically short and do not look like typical malware activity.
Deep-packet inspection might be required since the messages could be encrypted.

•  Monitor servers and power distribution units
(PDUs), not just CPU activity. Power use, temperature, fan speed, memory use,
and drive space usage could indicate cryptojacking in progress.

“The
management consoles for most enterprise servers let you configure and monitor
alerts, since if any of those factors goes, you lose the server,” says
McGregor. In terms of cryptojacking, “Any sudden jumps may indicate an attack
has ‘succeeded.’ And anything going to 100% is definitely suspect.”

As with all
computer security activity, educate your employees about cryptojacking. “The
typical user won’t notice anything until it becomes slow or sluggish,” says McGregor.
The National Cybersecurity Center (NCC) is working to improve user awareness
abut exceedingly long CPU times, what processes are running that are causing
these CPU spikes, and highload CPU processes pointing to a web browser with a
malicious tab.

Educating
all users is essential; even those who might not work directly with company
computers are likely to have a companyowned or personal mobile device, McGregor
urges. Cryptojacking education should not be limited to a separate 15- to
20-minute presentation, he notes. “It tends to be part of an IT security
awareness presentation that’s typically half a day, covering all cyberthreats —
including cryptojacking.”

Preparing for the inevitable

“Organizations
should start planning for potential cryptojacking incidents now and walking
through different threat vectors and scenarios across the organization,” urges
Skinner. “We highly recommend conducting tabletop exercises, and having a
formalized incident response and incident recovery plans available to be
leveraged across the enterprise.”

He also
suggests that CISOs be ready to reach out to various law enforcement agencies
if and when a breach occurs. “We also highly recommend you know your law
enforcement community and have relationships or points of contact if you need
them.  This should be proactive and part
of your overall strategy and should include the U.S. Secret Service, FBI, and
state [and] local law enforcement. External legal counsel and [public relations
and] media firms should be identified as part of these tabletop exercises as
well.”

In
particular, Skinner says, “The SEC requires publicly-traded companies to report
any cyberattack or event. This includes cryptomining, not just demands for
money, or theft of customer data. On the other hand, for hospitals, HIPAA
(Health Insurance Portability and Accountability Act) applies when patient data
has been compromised, and cryptojacking does not necessarily mean that data has
been exfiltrated — you need a forensic and legal team to look for that and to
make a determination if the data was compromised, whether or not it was
exfiltrated.

Discovering
cryptojacking must be considered as a security incident, and handled as one,
adds consultant Mertens. “Nobody really knows the scope and scale of
cryptojacking. Big companies that have sophisticated systems will try to block
and mitigate. Smaller companies will always be at greater risk, because they
don’t have the systems or people to detect the problem. If a cryptojacker can
keep their illegal cryptomining activity to where it isn’t impacting day-to-day
operations, many companies won’t notice it’s occurring.”

An essential
part of finding and stopping any cyberbreach is how the company and all of its
employees internalize security. “Have a culture of security,” says attorney
Hadley. “Don’t just be looking for specific things. Be like a doctor looking at
a patient’s big picture and monitor your systems for unusual activities at the
processor level; watch for unusual data inflow and outflow.”

And on the
off chance that you are not already doing full on-and-off-site backups of data
along with system images, the experts agree, start doing that.

Comments are closed.