Why cryptojacking is an overlooked security threat

Ransomware attacks like WannaCry and NotPetya have generated reams of news coverage this year, but another form of cyberattack is quietly on the increase: cryptojacking.

Readily available JavaScript tools allow cryptojackers to harness the CPUs of phones, tablets, PCs and servers, and use this collated power to validate cryptocurrency transactions before other miners. Their Bitcoin (or altcoin if they’re mining another cryptocurrency) reward for providing this service comes at someone else’s expense—and that someone, whether an individual or organisation, often has no idea their processing power has been hijacked.

“You could be browsing a website they’ve taken over through malware or by adding some JavaScript, and without your knowledge, without your approval, your laptop or your iPad’s compute resources are now being used for mining cryptocurrency,” says Varun Badhwar, CEO and cofounder of RedLock, which monitors Microsoft Azure, Google Cloud Platform, and AWS for security and compliance risks. “This [type of attack] can impact anybody and everybody across the globe, regardless of what kind of system you’re on and how many compute resources you have available.”

Although mining malware has been around since 2013, the release of the Coinhive JavaScript miner in September, together with soaring cryptocurrency values, have made cryptojacking increasingly appealing to hackers. However, Coinhive itself was not created for malicious purposes: it was intended as means for websites to earn money by borrowing visitors’ processing power to mine Monero, an untraceable cryptocurrency, instead of bombarding them with ads.

Nevertheless, there was—at least initially—no requirement for sites to tell people their CPUs were being ‘borrowed’ for mining purposes. Perhaps unsurprisingly, hackers soon began injecting Coinhive and copycat scripts into websites like Polifact.com and Showtime without the site owner’s knowledge, effectively using their traffic as a means to access a vast number of CPUs and gain an edge over rival miners.

Mining malware typically remains hidden in the Task Manager, running for as long as a webpage remains open. In terms of the scale of the problem, AdGuard recently reported that 220 sites on the Alexa top 100,000 list serve crypto mining scripts to more than 500 million people, generating a collective $43,000. “Right now it’s not millions,” AdGuard said in a blog post on the issue, “but this money has been made in three weeks at almost zero cost.”

AdGuard, Malwarebytes and other antimalware providers now block or restrict access to sites using crypto mining scripts. In total, Malwarebytes products have blocked an average of 8 million requests per day to domains hosting in-browser cryptocurrency mining scripts. However, most anti-malware providers also give users the option to lend their CPU power to a legitimate site owner.

According to a report by Recorded Future, which specialises in real-time threat intelligence, 62 types of mining malware are now available for sale across the criminal underground, ranging in price from $850 to less than $50. So how easy is it for cyber criminals to deploy these tools?

“In a nutshell there is no difference between deploying mining malware and other types of malware, such as ransomware or advertisement click bots,” says Andrei Barysevich, director of advanced collection at Recorded Future. “However, since mining malware is significantly less destructive, it can remain undetected for much longer, offering criminals an opportunity to earn a significant profit over a longer time.”

In October, Trend Micro, an enterprise cyber security solutions specialist, discovered two apps in the Google Play store had been programmed to deploy a copy of the Coinhive miner inside a hidden WebView browser. Enterprise networks aren’t immune from cryptojacking either: according to IBM’s X-Force security team, mining attacks aimed at these networks jumped sixfold between January and August.

“We’re starting to see a lot more of these attacks,” says Simon Edwards, cyber security architect for Trend Micro. “In the last two weeks I’ve found two completely different examples of crypto mining, one targeting Windows machines, the other targeting Unix machines.” The Windows variant was using up to 75% of the CPU, he says. “Obviously if you have that in a cloud environment, where you’re paying for the CPU cycles and hard-drive usage, then suddenly that could end up costing you quite a lot of money.”

A recent investigation by RedLock also found that Aviva and Gemalto’s AWS cloud services had been compromised and used to mine Bitcoin. The hackers were able to gain access to the cloud servers through administration consoles that weren’t password protected.

“These instances were effectively open to the public and created a window of opportunity for hackers,” says the report. Upon deeper analysis, RedLock discovered that hackers were executing a Bitcoin mining command from a Kubernetes container (an open-source platform that automates container operations). “The instance had effectively been turned into a parasitic bot that was performing nefarious activity over the internet,” the report concludes.

RedLock notified Aviva and Gemalto about the issue, and notes in its report that if a configuration monitoring solution had been in place across the cloud computing environments the problem might have been revealed sooner.

“When you’re a large organisation, especially the ones we talked about in our report like Aviva or Gemalto, you’re spending tens if not hundreds of millions of dollars a year on cloud computing,” says Badhwar. “If somebody adds another 3%, 4% or 5% to compute resources, it may fly under the radar.”

Edwards notes that mining malware is often deployed in conjunction with other forms of attack, and describes it as an ancillary way of making money. “The organisations that are the most vulnerable are the ones that have got lots of servers connected to the internet, but they’re not particularly monitoring what they’re up to and not particularly patching them,” he says, adding that “good old fashioned intrusion prevention systems” either on the network or on the server can, thankfully, stop crypto mining attacks in their tracks.

But as long as there’s money to be made from cryptocurrency mining, hackers will no doubt attempt to cash in with other people’s resources. “Unless we experience a crash of cryptocurrency prices to the levels seen in 2016,” says Barysevich, “we can only expect even further improvement and proliferation of mining malware.”