Danny Bradbury

How To Protect Your Systems From Cryptojacking

Move over, ransomware. There’s a new form of malware in town. Cryptojacking is becoming the cybercriminals’ tool of choice, and it is delivering big financial rewards.

While ransomware holds files for ransom and coerces victims to send their attackers cryptocurrency, cryptojacking malware cuts out the ransom step and just uses a victim’s computing power to mine for cryptocurrency without their consent. It comes in two forms.

First is the browser-based attack. Attackers infect a website with a malicious script that causes their computers to mine for cryptocurrency, sending the rewards to the criminal’s address.

The second form of cryptojacking involves installing a malicious executable on the target machine. Criminals can infect an endpoint, or they can infiltrate a company’s networks and infect their servers with cryptojacking malware.

There’s money in mining

Infecting servers in this way is big business. The organizers of mining botnet Smominru made over $3.5m in under a year infecting Windows servers with their cryptojacking malware.

With money like that on the table, no wonder cryptojacking malware installations are skyrocketing. The Cyber Threat Alliance (CTA), a group of cybersecurity researchers, noticed a 459% increase in cryptojacking malware infections from the end of 2017 to the end of July 2018.

Cryptojacking appeals to cybercriminals for two reasons: profit, and frictionless execution.

The price of cryptocurrencies rose at the end of 2017. Look at this price chart for Monero, which is the cryptominer’s digital currency of choice. Unlike bitcoin, which has reusable addresses that investigators can audit with a block explorer service, Monero uses a system of confidential transactions and stealth addresses to make it untraceable.

Monero Price Chart Large.png

Source: CoinGecko (https://www.coingecko.com/en/price_charts/monero/usd).

Like many cryptocurrencies, Monero’s price spiked at the start of the year. While it has since retraced its steps, its price still hadn’t dipped below its late August 2017 level as of November 2018.   

Unlike ransomware, cryptojacking also requires no action on the victim’s part. Rather than taking steps to pay a ransom, the user must only keep a computer up and running. That represents far less work for the criminal, and a more certain return on investment.

So, does cryptojacking matter? Some might think malware that doesn’t steal or damage data doesn’t pose much of a threat, but that misses the point. It carries several dangers.

The first is the effect on performance. Both forms of cryptojacking can slow a computer to a standstill. This is a particular problem for server-based attacks, because it risks disrupting core computing services that could affect the entire organization.

The second danger is financial. Aside from the increased electricity usage as cryptojacking malware sends computers into overdrive, there’s also a service cost. Attackers have gained access to cloud-based systems, which expand computing power on demand to cope with fluctuating workloads. Customers pay for these services, so they’re footing the bill for cybercriminals’ illicit mining operations.

Tesla is a good example. In February 2018, it discovered that crooks were using its cloud infrastructure to mine for cryptocurrency.  

Cryptojacking infections highlight inadequacies in cybersecurity. If that malware made its way onto a server, then other malware could follow. There’s also no telling what other nefarious things cryptojacking software could do in the background. Security professionals should take it as a sign they need to improve their protection.

Defensive measures

With this in mind, companies should take several steps to avoid falling victim to cryptojacking. First, basic cybersecurity hygiene is a must. This means patching operating systems and applications with the latest updates and not using administrative accounts on enterprise computers. Application whitelists are a good idea, too.

Second, make sure that anyone with administrative cloud access follows strict procedures. Attackers hacked Tesla’s cloud after its administrators left the doors wide open, failing to use login protection for their Kubernetes container orchestration software.

Third, look for indicators of compromise by watching for two telltale signs. The first is computer power consumption. A miner thrashing a CPU can cause power usage to spike, but this isn’t always the case; some cryptojacking malware throttles CPU load to fly under the radar.  

That’s why process logs and network traffic are important, too. Check DNS query logs for telltale strings such as ‘CoinHive’ (an infamous Monero mining service) and ‘crypto’. Check running processes for command line arguments that point to mining malware, like ‘cpuminer’.

Finally, use traffic blockers that can stop mining software contacting known mining destinations; Coinblockerlists is one such resource.

On its own, any of these measures might let a cryptojacker through. For example, Tesla’s attackers cloaked the address of their own mining pool software by sending traffic via a proxy over non-standard ports, rendering a mining blacklist useless.

By using these measures together, companies can take a defense-in-depth approach that will make it far harder for crooks to pilfer their computing resources and put their systems at risk.

Interested in reading more about the latest in cybersecurity trends? IoT Botnets are on the Rise.

This blog is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. CenturyLink does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user.