Protect Yourself from Cryptojacking

What is Cryptojacking?

Cryptojacking is a type of cyber-attack where malware is covertly installed onto unsuspecting hosts so it can make use of the host’s processing power to mine cryptocurrency for the attacker.

Cryptojacking isn’t attempting to cause damage to host systems or steal their data, but it is far from benign. It is a large-scale theft of resources which can disable your anti-malware defenses and open secured ports to enable communication with its command-and-control infrastructure. Cryptojacking can also create a powerful diversion for more complex attacks such as data exfiltration, keylogging and even credit card skimming.

Infected systems can experience significantly reduced performance, but it will be difficult to identify what has caused the issue. In some cases, malicious scripts can persist indefinitely.

Attackers utilise various methods to install crypto-mining code on host computers. The two most common attack vectors are phishing and browser-based script injection.

Phishing Attacks

By using traditional phishing tactics to lure unsuspecting victims to click malicious links in emails, attackers are able to install cryptojacking malware such as Coinminer and XMRig directly onto computer memory. Malicious scripts then continuously mine cryptocurrency in the background.

Script Injection Attacks

Browser-based or in-browser cryptojacking tools inject scripts into popular websites or advertisements delivered to multiple domains. A well-known threat of this type was Coinhive, the Monero mining service, which was shut down in 2019

These sites and ads will automatically execute JavaScript code in victims’ browsers, utilising their CPU power for the duration of their visit. The attacks target sites with multiple concurrent users and long average session durations, including image boards and streaming sites, to keep malicious scripts running for as long as possible.

Botnet operators incorporate cryptojacking into their existing arsenals and target both cloud and on-premise servers to extend computing power and maximise revenues. Smartphones are also targeted. In 2018, Apple banned cryptomining apps on iOS to prevent the risks of these types of attacks.

Economic Viability of Cryptojacking

Bitcoin, being the most popular and valuable cryptocurrency on the market,  might seem like the obvious choice for attackers. But, surprisingly, this is not the case. The vast majority of attacks appear to be mining the open-source cryptocurrency, Monero. Research has found that the level of illicit cryptocurrency mining is closely aligned with the value of Monero.

The primary reason for this is, it seems, is CPU-friendliness. While Bitcoin’s mining algorithm requires a specialised ASIC setup and significant computing power, Monero can be mined using any computer or smartphone. Monero also obfuscates its transactions and anonymises wallet addresses, making it harder to track than other cryptocurrencies.

Worryingly, the attacks are not difficult or expensive. Cryptojacking kits are available on the dark web for as little as £20 and do not require high level technical skills to launch attacks that go under the radar and create a continuous stream of revenue almost instantly. An example of this is the discovery by security researchers that the Smominru botnet had infected over half a million machines and generated over £3.5 million in January 2018 alone.

Ongoing Cryptojacking Threat

In terms of impact, 2017 and 2018 were acknowledged as two of the most significant years so far for cryptojacking. Since then, it has become a rather underestimated cyber threat, but it certainly hasn’t gone away. Research suggests that cryptocurrency miners were the most common form of malware in 2021, with around 75,000 threats detected in the first half of the year. Security researchers have also found that cryptojacking is currently one of the most commonly discussed methods of stealing or mining for cryptocurrency mentioned in cybercriminal forums.

Newer cryptojacking threats include the Prometei cryptocurrency botnet which exploits Microsoft Exchange vulnerability. While it’s not strictly new, it was recently discovered to be exploiting Microsoft Exchange vulnerabilities used in the Hafnium attacks to deploy malware and harvest credentials and then utilising the infected devices to mine Monero.

A cryptojacking botnet, named Lemon Duck, has been found to be targeting Microsoft Exchange servers, mainly in North America, via ProxyLogon. It uses the ProxyLogon group of exploits and has also added the Cobalt Strike attack framework into its malware toolkit and enhanced its anti-detection capabilities.

Ease of execution, scalability and anonymity makes cryptojacking a particularly appealing attack technique for hackers. And, as long as cryptocurrencies maintain their value, cryptojacking is likely to continue. With individuals and enterprises alike being targeted, having an understanding of what to look out for and how to tackle it is essential.

Telltale Signs of Cryptojacking

Common signs that your organisation is being affected by cryptojacking include:

  • Noticeable decrease in device performance or systems operating more slowly. Look out for devices crashing, running slowly or performing unusually poorly. Also watch out for battery power draining more quickly than usual.
  • Overheating device batteries – a laptop or computer fan running faster than usual can be a sign of cryptojacking.
  • An increase in Central Processing Unit (CPU) usage or even devices shutting down because of a lack of available processing power when on a website with little or no media content.
  • Unexpected increases in electricity costs

How to Protect Yourself from Cryptojacking?

You should take some or all of the following steps to reduce the potential costs and disruption of cryptojacking to your business:

  • Security awareness training: Employees should be made aware of the dangers of phishing-based attacks and informed about the latest cryptojacking trends as part of training exercises.
  • Report Issues: Users should be encouraged to report slow computers and devices for further investigation.
  • Ad-blockers: Web browsers should have ad-blocking software installed and be regularly patched in order to block known cryptomining scripts.
  • File integrity monitoring (FIM ) can help organisations to identify deviations from a ‘known good’ baseline, to detect unauthorised file changes that could indicate a cryptojacking attack.
  • Network monitoring: It is essential to build the capability to proactively monitor cloud and on-premise environments to detect malicious activity in its infancy. Implementing technologies like SIEM, vulnerability scanning and behavioural monitoring is critical to this approach, but it also requires round-the-clock attention from certified security experts armed with the intelligence to identify cryptojacking attempts before it’s too late.
  • Endpoint protection: Crypto-mining code can hide from traditional signature-based detection approaches so organisations need advanced endpoint tools like Next-Generation Antivirus (NGAV) and Endpoint Detection and Response (EDR) to maximise endpoint visibility and gather the information needed to isolate and shut down attacks.
  • Mobile Device Management (MDM): Organisations should implement a mobile device management policy to better control the devices, applications and extensions used by employees, and prevent the spread of mobile-focused cryptomalware.