Cryptojacking explained: How to prevent, detect, and recover from it

Criminals are using ransomware-like tactics and poisoned websites to get your employees’ computers to mine cryptocurrencies. Here’s what you can do to stop it.

hacker / cryptocurrency attack
Kentoh / Thaimynguyen / BlackDovFX / Getty Images

Cryptojacking definition

Cryptojacking is the unauthorized use of someone else’s compute resources to mine cryptocurrency. Hackers seek to hijack any kind of systems they can take over—desktops, servers, cloud infrastructure and more—to illicitly mine for crypto coins.

Regardless of the delivery mechanism, cryptojacking code typically works quietly in the background as unsuspecting victims use their systems normally. The only signs they might notice is slower performance, lags in execution, overheating, excessive power consumption, or abnormally high cloud computing bills.

How cryptojacking works

Coin mining is a legitimate process in the cryptocurrency world that releases new cryptocurrency into circulation. The process works by rewarding currency to the first miner who solves a complex computational problem. That problem completes blocks of verified transactions that are added to the cryptocurrency blockchain.

“Miners are essentially getting paid for their work as auditors. They are doing the work of verifying the legitimacy of Bitcoin transactions,” detailed a recent Investopedia explainer on how Bitcoin mining works. “In addition to lining the pockets of miners and supporting the Bitcoin ecosystem, mining serves another vital purpose: It is the only way to release new cryptocurrency into circulation.”

Earning cryptocurrency via coin mining typically takes a huge amount of processing power and energy to carry off. Additionally, the cryptocurrency ecosystem is designed in a way that makes mining harder and reduces the rewards for it over time and with more mining competition. This makes legitimate cryptocurrency coin mining an extremely costly affair, with expenses rising all the time.

Cybercriminals slash mining overhead by simply stealing compute and energy resources. They use a range of hacking techniques to gain access to systems that will do the computational work illicitly and then have these hijacked systems send the results to a server controlled by the hacker.

Cryptojacking attack methods

The attack methods are limited only by the cryptojackers’ creativity, but the following are some of the most common ones used today.

Endpoint attacks

In the past, cryptojacking was primarily an endpoint malware play, existing as yet another moneymaking objective for dropping malware on desktops and laptops. Traditional cryptojacking malware is delivered via typical routes like fileless malware, phishing schemes, and embedded malicious scripts on websites and in web apps.

The most basic way cryptojacking attackers can steal resources is by sending endpoint users a legitimate-looking email that encourages them to click on a link that runs code to place a cryptomining script on their computer. It runs in the background and sends results back via a command and control (C2) infrastructure.

Another method is to inject a script on a website or an ad that is delivered to multiple websites. Once victims visit the website or the infected ad pops up in their browsers, the script automatically executes. No code is stored on the victims’ computers.

These avenues still remain a legitimate concern, though criminals have added significantly more sophisticated techniques to their cryptojacking playbooks as they seek to scale up profits, with some of these evolving methods described below.

Scan for vulnerable servers and network devices

Attackers seek to amp up the profitability of cryptojacking by expanding their horizons to servers, network devices, and even IoT devices. Servers, for example, are a particularly juicy target since they usually are usually higher powered than a run-of-the-mill desktop. They’re also a prime hunting ground in 2022 as the bad guys scan for servers exposed to the public internet that contain vulnerabilities such as Log4J, exploiting the flaw and quietly loading cryptomining software on the system that’s connected to the hacker’s servers. Often attackers will use the initially compromised system to move their cryptojacking laterally into other network devices.

“We’re seeing an uptick in cryptomining stemming from the Log4J vulnerability,” says Sally Vincent, senior threat research engineer for LogRhythm. “Hackers are breaking into networks and installing malware that uses storage to mine cryptos.”

Software supply chain attacks

Cybercriminals are targeting the software supply chain by seeding open-source code repositories with malicious packages and libraries that contain cryptojacking scripts embedded within their code. With developers downloading these packages by the millions around the globe, these attacks can rapidly scale up cryptojacking infrastructure for the bad guys in two ways. The malicious packages can be used to target developer systems—and the networks and cloud resources they connect to—to use them directly as illicit cryptomining resources. Or they can leverage these attacks to poison the software that these developers are building with components that execute cryptomining scripts on the machines of an application’s end user.

Leveraging cloud infrastructure 

Many cryptojacking enterprises are taking advantage of the scalability of cloud resources by breaking into cloud infrastructure and tapping into an even broader collection of compute pools to power their mining activity. A study last fall by Google’s Cybersecurity Action Team reported that 86% of compromised cloud instances are used for cryptomining.

“Today, attackers are targeting cloud services by any means to mine more and more cryptocurrency, as cloud services can allow them to run their calculations on a larger scale than just a single local machine, whether they’re taking over a user’s managed cloud environment or even abusing SaaS applications to execute their calculations,” Guy Arazi, senior security researcher for Palo Alto Networks, wrote in a blog post.

One of the common methods to do this is by scanning for exposed container APIs or unsecured cloud storage buckets and using that access to start loading coin-mining software on impacted container instances or cloud servers. The attack is typically automated with scanning software that looks for servers accessible to the public internet with exposed APIs or unauthenticated access possible. Attackers generally use scripts to drop the miner payloads onto the initial system and to look for ways to propagate across connected cloud systems.

“The profitability and ease of conducting cryptojacking at scale makes this type of attack low-hanging fruit,” said Matt Muir, security researcher for Cado Security, in a blog post explaining that cloud-based attacks are particularly lucrative. “This will likely continue for as long as users continue to expose services such as Docker and Redis to untrusted networks.”

1 2 Page 1
Page 1 of 2
Make your voice heard. Share your experience in CSO's Security Priorities Study.