Explained: Cryptojacking
Cryptomining continues to be a mass global industry even if cryptocurrency valuations themselves have remained volatile. Yet, given the need to set-up hundreds if not thousands of linked computers to generate the calculations needed to earn sufficient additional cryptocurrency such as Bitcoin, it has inevitably been prone to exploitation by cryptojacking hackers prepared to cheat.
For the cryptojacker looking to take over a computer network there are two major ways of doing it. One is to deploy browser-based cryptomining scripts. An alternative weapon of choice is embedding malware in a payload injected into a computing device. Access to one device, under optimum circumstances, can then open the gates to infecting additional devices/servers in that network, especially where a company is being targeted, for example.
IT professionals constantly need to look for tell-tale signs in their networks.
Unlike many other forms of malware, the individual victim in the case of cryptojacking may not actually realise they are one since the malware is likely to be quietly mining away in the background. But in the corporate environment, where a number of machines end up being compromised, it may be a different story. Hence, network and IT professionals constantly need to look for tell-tale signs in their networks such as unusual spikes in power usage, system degradation (in terms of the network slowing down, hot CPUs etc) and so on.
While in-browser attacks are sometimes difficult to detect there are a number of countermeasures available once any threat has been isolated and can be dealt with. Of course, it’s always preferable to have measures in place to forestall any such eventuality.
Either way, the first obvious port of call is an anti-mining browser extension such as MinerBlock, NoScript or No Coin. Availability of browser extensions will depend on the browser being used, since some browsers are more comprehensive than others in that they may already block known mining domains.
Similarly, anti-virus, anti-malware and ad blocking programmes will need to be updated and tweaked.
Back in March 2019 when Coinhive finally shut its doors – ostensibly due to cryptocurrency valuations crumbling – many in the IT field (wrongly) saw its demise as a game-changer regarding cryptojacking.
An in-browser miner using JavaScript, Coinhive was readily exploited by hackers to mine Monero cryptocurrency. Since JavaScript runs on most websites all the unwitting victim needed to do was open an ‘infected’ page and let the mining script do the rest. In other words, no installation or opt-in would be required.
As more people visited various sites, more processing power was sucked out in order to mine the cryptocurrency – a far cry from Monero’s original stated (and legitimate) aim – when it released its mining code in 2017 – of offering website owners the chance to earn money on the side, but without alienating users by bombarding them with intrusive ads.
Coinhive may have gone away but Monero certainly hasn’t. Indeed, a January 2019 study – ‘A First Look at the Crypto-Mining Malware Ecosystem: A Decade of Unrestricted Wealth’ – undertaken by researchers from King’s College London and the University of Carlos III Madrid – estimated the proportion of illicit Monero currency in circulation to be around 4.4% of total supply. Down on the previous estimate of 5%, but still a significant factor.
Meanwhile, according to SonicWall’s Cyber Threat Report, cryptojacking volume hit 52.7 million registered attacks for the first six months of 2019, up 9% on the previous six-month period.
Unsurprisingly, institutional and corporate victims of cryptojacking have read like a ‘who’s who’ including – beyond obvious targets such as government websites – luminaries such as Tesla.
Cryptojacking is an energy intensive process, meaning corporates may be subject to slower running networks (as processing power is diverted), more costly electricity bills/server costs and, in extreme cases, even downtime (hardware issues) leading to possible reputational damage.
Illustrating this point, cybersecurity solutions provider Radiflow was called in by unnamed European water utility; eventually discovering that utility’s operational technology network had been compromised by cryptocurrency malware.
The process of detecting and eliminating malware on the utility’s supervisory control and data acquisition (Scada) network started with connecting Radiflow’s iSID (industrial threat detection system) being connected to the network.
Scada gathers and analyses real time data and is used to monitor and control plant/equipment in sectors such as telecommunications, oil/gas refining, transportation and so on.
More concerning in the first place is that a malware attack can cause industrial control applications to slow down
Once Radiflow’s iSID detected abnormal activity it was able to indicate the port and destination IP address used for the attack, which were then used to update the utility’s anti-virus and firewall rules and prevent the recurrence of such attacks.
While reputational damage, more generally, may potentially be the end result, more concerning in the first place is that a malware attack can cause industrial control applications to slow down, freeze or even crash – potentially degrading an operator’s ability to even manage a plant.
On the face of it, the potential headwinds for cryptojackers going forward, is likely to come from increasing cross-border collaboration.
Trend Micro’s joint collaboration (in 2019) with Interpol and law enforcement officials across 10 ASEAN countries – under the ‘Operation Goldfish Alpha’ banner – is a case in point and can be chalked down as a major success.
The company developed a Cryptojacking Mitigation and Prevention guidance document, detailing how vulnerabilities in MikroTik routers had exposed countless users in the region to the risk of compromise by cryptomining malware.
The document also explained how to scan for this flaw using the company’s HouseCall for Home Networks and how HouseCall could be used to detect and delete the Coinhive JavaScript that hackers were using to mine for digital currency on infected PCs.
More than 20,000 routers were subsequently identified, and the incidence of infection was eventually reduced by 78%.
And yet, this came against the backdrop of the company’s own data showing cryptocurrency mining malware being the most detected threat in the first half of 2019 in terms of file-based threat components.
Part of the problem is that the threat posed by cryptojacking is usually a function of the value of cryptocurrencies themselves. In short, as cryptocurrency values increase, hackers respond by gearing up their activities accordingly when market conditions make it worth their while.
By Martin Morris, senior staff writer, FinTech Futures
Want to read more practical insight on specific procedures within the fintech industry? Our ‘Explained’ series aims to provide a brief overview of technical, legal and practical processes and procedures the industry goes through. Feel free to leave some suggestions in the comment box below or email our editor, Sharon Kimathi, on [email protected]
