The rising tide of criminal schemes to steal compute cycles for mining cryptocurrency has reached a high-water mark. This month researchers report that cryptojacking malware and attacks have overtaken ransomware as the number one malware threat online today.
"While ransomware attacks haven't gone away, they have been supplanted by malware that's designed to infect systems and use their CPUs to mine for cryptocurrency," writes Mathew Schwartz for Bankinfosecurity.com. "If 2017 was the year of ransomware innovation, 2018 is already well on its way to being known as the year of cryptocurrency mining malware."
While cryptojacking isn't nearly as likely to cause mega data breaches or huge regulatory compliance headaches for most organizations as other types of attacks, CISO can't afford to ignore this growing trend. Cryptojacking poses very real consequences for enterprises. Here are the top reasons why CISOs need to pay attention to cryptojacking threats, lest they suffer from system performance issues, increased costs, and other risks to their organization.
Endpoint Performance Problems
Cryptominers are also increasingly bundled up in exploit kits and other more traditional malware delivery methods as well. For example, some researchers have pointed to criminal targeting of mobile apps on official app stores like Google Play as a way they've broadened their cryptojacking reach. They say the bad guys are increasingly infecting these apps with coin mining malware to build up the number of devices silently mining money for them. Same goes with conventional banking Trojans and other malware, for which the crooks figure they might as well build in coin miners to join in on the infection as well.
"It doesn’t surprise me that malware creators are moving away from simple in-browser scripts by burying mining code in apps and other banking malware," Mike Pound, a professor with University of Nottingham told Ethereum World News recently. "These kinds of attacks are only going to become more prevalent when this script is bundled into other malware as an add-on. It’s an efficient route to profit for criminals."
When these kinds of attacks are carried out at scale against an enterprise's whole collection of endpoint assets, the performance impact will add up quickly.
"Cryptojacking targets computer processing power, which can lead to high CPU load and degraded performance," wrote researchers with FireEye in a recent cryptojacking report. "In extreme cases, CPU overload may even cause the operating system to crash. Infected machines may also attempt to infect neighboring machines and therefore generate large amounts of traffic that can overload victims' computer networks."
Server and Network Performance Issues
The risk against endpoints is really just the tip of the iceberg for enterprises beating back cryptojacking attacks. Many criminals are finding that the high-powered servers and data center rigs that make up the backbone of enterprise infrastructure can also make for extremely powerful crypto mining machines when they can be subverted.
In one instance, researchers found that attackers were able to pull in over $3.4 million by cryptojacking the servers owned by continuous integration software vendor Jenkins. So it shouldn't be surprising that analysts with Forrester Research say corporate servers are actually the number one device in the enterprise most targeted for cryptocurrency mining by external attackers. What's more, these devices are also making for juicy targets by internal attackers seeking to set up their own currency 'printing' machines. This spring researchers with the firm Darktrace showed that they had tracked 1,000 illicit cryptomining schemes in the US where employees hijacked their employer's infrastructure to harvest cryptocurrency.
These are the systems that businesses most depend upon to deliver vital business functions for the enterprise. The attacks themselves are often stealthy and hard-to-detect.
"Speeding up CPU cycles heavily impacts consolidation ratios and virtualization density in your data center. Which is why when workloads are infected by cryptojacking, most infrastructure admins or dev-ops quickly solve the situation by increasing resources on the workloads to bring services on-line," Bitdefender experts recently wrote in a whitepaper on data center cryptomining threats. "At this point, some don’t investigate further, content that the problems are solved."
As that paper explained, not only are there performance issues involved, but the throttling of CPUs and GPUs by cryptomining accelerates the deterioration of equipment—meaning that organizations must replace their gear more frequently. That's a direct cost that CISOs must be concerned about.
What's more, if cryptojacking manages to spread itself on the very most critical of systems, there's even more at stake.
"In the case of operational technology (OT) networks, the consequences could be severe," FireEye reports. "Supervisory control and data acquisition/industrial control systems (SCADA/ICS) environments predominately rely on decades-old hardware and low-bandwidth networks, therefore even a slight increase in CPU load or the network could leave industrial infrastructures unresponsive, impeding operators from interacting with the controlled process in realtime."
Stolen Cloud Compute
Attackers aren't limiting their scope to just on-premises data centers, either. A recent report from Dark Reading shows that approximately 25% of businesses today are now targeted by cryptojacking in the cloud. That stat has shot up significantly, from just 8% last year.
"Cryptojacking has gone mainstream as attackers have unprecedented access to high-powered public cloud computing resources, affecting major corporations like Tesla, Gemalto, and Aviva," wrote Kelly Sheridan with Dark Reading.
In the case of cloud compute theft from Tesla, the attackers managed to mine currency off of the car company's AWS account by first breaking into a Kubernetes instance that was poorly configured. Researchers say that misconfigured containerization technology from the likes of Docker and Kubernetes are fast growing appeal from cryptojackers who can easily scan from these instances and begin their vampire-like attacks to suck off compute cycles from them.
While browser attacks are siphoning off computing power from the end user, their origination from infected websites gives a black eye to any organization caught up in their nefarious dealings. And as things stand, there are LOTS of brands that have become complicit in the cryptojacking craze.
According to one study earlier this year Bad Packets Report, almost 50,000 sites from around the web have been found to be infected with cryptominer malware. Many of these sites are run by well-known and respected brands like the San Diego Zoo and Los Angeles Times. When these attacks happen, they inevitably shake customer confidence in the brand—because if cryptojacking can occur on the site how secure is the brand in other areas?
"We actually have seen many high-profile [cryptojacking] incidents over the past seven months. And unfortunately, we continue to. It’s not a trend that’s going away," Troy Mursch, the researcher behind Bad Packets Report, recently told ThreatPost. "We’re going to continue to see these [cryptojacking] vulnerabilities come up in content management systems. When site operators are not patching you’re going to get affected like this. And really, cryptojacking may not even be the worst case scenario."
It's not just computing capabilities that attackers are stealing in these cryptojacking attacks. They're also draining away electricity. These costs are going to vary considerably, but they're usually nothing to sneeze at.
"For example, security researchers who ran Coinhive on a machine for 24 hours found that the electrical consumption was 1.212kWh," wrote FireEye researchers. "They estimated that this equated to electrical costs per month of $10.50 USD in the United States, $5.45 USD in Singapore, and $12.30 USD in Germany."
That's just one machine for one day. If cryptojacking campaign can manage to scale up an attack against an enterprise on hundreds or thousands of machines, the costs go up dramatically and they just multiply the longer the window of attack stays open.