Like most groundbreaking inventions, cryptocurrencies bring a moral paradox: while some people consider them a revolutionary tool to make the world a better place, others already use it to fuel their illegal activities. Therefore, it was just a matter of time before this energy-hungry activity became a serious cybersecurity issue.
Today, the world is witnessing an emerging type of cybercrime that is slowly becoming more popular than ransomware attacks – cryptojacking. Should we worry about it or is this just a security fad?
Cryptocurrency Mining vs. Cryptojacking
In order to properly answer this question, we should clarify the current general context. As crypto-mining methods are evolving, new ethical and legal aspects emerge:
- Legitimate crypto-mining. There is nothing wrong with using your own devices and electricity for currency mining.
- Possibly malicious mining. Through the emergence of Coinhive and other similar services, websites can use their visitors’ CPU power for mining instead of delivering them annoying ads. At least in theory, that sounds like a great idea. News site Salon.com and even UNICEF used it in their quest for alternative fundraising techniques. Unlike The Pirate Bay which has been recently caught doing it secretly, which prompted them to declare that “we really want to get rid of all the ads. But we also need enough money to keep the site running”. Ironically, according to Reddit threads, its users didn’t seem to like the fact that the pirate website had never obtained their explicit authorization.
- Cryptojacking / Coinjacking / Drive-by mining. Paying the bill for someone else using your computing power without your knowledge is clearly not legitimate. Actually, it is illegal - for instance, in the US a victim could invoke Computer Fraud and Abuse Act (CFAA), while in the UK, there is the Misuse of Computers Act. Unfortunately, like in most cybercrime cases, finding the perpetrator is extremely difficult, if not impossible. As the problem becomes bigger, and there are signs it will, pressure on the legislators will most likely increase.
A Flame Waiting to Spread Without Control
Just a year ago, the concept of cryptojacking didn’t even exist. Today, we keep reading news about coinjackers deploying more sophisticated methods of infiltrating devices, as they exploit security breaches. Just to get a taste of it, here are some of the most spectacular cases that made the headlines lately:
- Coinhive was abused by cybercriminal for waves of attacks such as through Browsealoud, a popular plugin present in 4,200 websites including the UK’s Information Commissioner’s Office.
- Popular desktop messaging applications, such as Telegram, have been recently abused to deliver crypto currency miners to victims, and even some YouTube advertisements delivered the Monero-mining Coinhive.
- Starbucks Wi-Fi service in a store in Buenos Aires was reported to let hackers offload their mining code onto user's computers.
- The industrial control systems (ICS) and SCADA (supervisory control and data acquisition) servers of a water utility in Europe were also used to mine Monero.
Cryptojacking is Here to Stay
There are many reasons that seem to back this statement:
- The number of cryptocurrencies available over the internet is growing, as a new cryptocurrency can be created at any time. Mid-April 2018, there were over 1,550 currency types available on over 10,000 markets, valued at over $320 billion. To put things into perspective, that is higher than the annual Gross Domestic Product of Israel.
- Most coinjacking efforts go into Monero, as it is impossible to profitably mine Bitcoins, the most successful cryptocurrency, without your own structure. And even if we assume that Monero will disappear or decrease in value over time, there is a great chance that another CPU-based mining currency will take its place.
- As the percent of ransomware attacks decreases, illegal crypto-mining increases. As Bitdefender telemetry reports show, this is another trend pointing out to the rising popularity of cryptojacking.
- The world is full of vulnerable connected devices and systems, while cryptojacking methods of infiltration are becoming more sophisticated. For instance, some attacks avoid the full throttle of CPU in order to go undetected for a longer period of time.
- Targeting pools of individual users will become more difficult, but large data centers and cloud infrastructures are next in line. This perspective is even more worrisome because in their quest to infiltrate, coinjackers could likely stumble upon and exploit other security weaknesses.
How can Organizations Protect Themselves from Cryptojacking?
Cryptojacking brings its own set of headaches through higher energy bills and device degradation, but it also exposes existing vulnerabilities, which could prove to be fatal to your organization’s reputation and business continuity. Make sure you are prepared for the upcoming likely surge of cryptojacking attacks.
Cryptojacking is a high-reward and low-risk cybercrime, at least compared to other types of attacks, which is something that criminals love. And when it comes to choosing the victim, the bigger, the better. Basically, all organizations running unpatched or outdated software on their infrastructure are under a serious risk of being targeted. There were several instances of cryptocurrency malware taking advantage of known exploits such as the EternalBlue and DoublePulsar exploits used by WannaCry – aptly dubbed WannaMine. A flaw with Oracle’s WebLogic Server (CVE-2017-10271) has been used to deliver miners onto servers from universities and research institutions.
The least that companies can do is patch their systems, as in the above example, Oracle had issued a patch which wasn’t installed. Going further, a more careful resource monitoring can prevent escalation through early intervention when abnormal CPU usage spikes are identified. Take into consideration that, in order to avoid detection, certain malwares are designed to run outside business hours.
On a more complex scale, it is important to prevent and detect cryptojacking file-based and fileless attacks during various stages of the attack lifecycle, both inside the data center and on endpoints. Endpoints are the preferred entry-points that very often allow lateral spreading of the malware. Fileless and script-based attacks - such as Powershell, cmd and wscript - are detected during pre-execution by Bitdefender’s HyperDetect technology, while Process Inspector technology augments these capabilities by jumping in during execution.
To keep data centers from falling victim to highly advanced cryptojacking threats such as WannaMine, Bitdefender offers a powerful prevention technology - Hypervisor Introspection, uniquely capable of defending against zero day vulnerabilities and advanced threats, whether their purpose is to plant cyberespionage malware or deliver cryptocurrency mining software.
It’s important to prevent and detect cryptojacking file-based and fileless attacks during various stages of the attack lifecycle, both inside the data center and on endpoints. Bitdefender GravityZone Elite provides layered next-generation security that greatly helps doing this, while memory protection technology can detect any exploit-enabled delivery mechanisms looking to distribute cryptomining software onto endpoints.