Worried about cryptojacking? Here’s what you need to know
September 13, 2018
Adam Vincent, CEO, ThreatConnect, on the rising threat of cryptojacking and what you can do to protect your business.
The cyber security space is ever changing, and new threats are coming our way every day. One of the most concerning is covert crypto-mining, for both companies and individuals. Willem de Groot found that at least 2,500 sites are running code for crypto-mining within the browsers of unknowing visitors.
It is well-known that Bitcoin has been experiencing a significant slump as of late, but there is still plenty of money to be made from cryptocurrency, and cyber criminals have been quick to realise this.
It may be a relatively new threat; however, it is likely that if it is not dealt with swiftly, it may become the next incarnation of ransomware – meaning that victim’s CPU responses will be wrung dry by malicious code.
Stopping this malicious activity won’t be a simple task. Law enforcement will find it challenging to track down the perpetrators due to the anonymous nature of cryptocurrency.
Crypto-mining is the process of harnessing large-scale computing power to solve cryptographic problems as fast as possible. Each cryptocurrency software publishes a new problem every few minutes, and the first person to successfully crack it by finding the correct cryptographic ‘key’ is given a ‘reward’ in the relevant currency.
The cryptography is designed so that the only way to find the key is to spin random numbers until you hit on the right one by chance. In pursuit of this goal, hackers can draw on compromised machines’ CPU and power supply to help solve the problem.
The sheer number of machines working on each problem worldwide means that you need a lot of power to be the first to find the solution. The average ‘crypto mine’ – really just a massive server installation spinning random number generators at colossal speed – uses electricity at an extremely expensive rate, and needs a lot of human maintenance.
At some point in the last few years, an enterprising miner clearly hit on the idea that it would be much cheaper to use somebody else’s computers and electricity than their own. Since then, the number of cases of ‘cryptojacking’ has spiralled upwards.
There are a few ways an innocent bystander can be tricked into a mining service. Hackers can exploit known system bugs to gain access to out-of-date web software (as in the examples found by de Groot) and then direct it to mine behind the scenes in users’ browsers.
They can create spoofed sites to implant malware on visitors’ machines, which links their CPU to your mining operation. Or they can use phishing emails to deliver malicious code and hook victims into their mining network – really just an update to the old botnet formula.
Obviously, security teams should be well-versed in how to resist phishing and spoofing. But the malware doesn’t have to be implanted directly onto your system to pose a danger. Simply visiting a corrupted site can hook your computer’s power into a covert mining operation for as long as the page is open – and there’s no easy way to tell if a site has been compromised.
The upshot of all this is that covert crypto-mining poses a serious financial and reputational danger to companies. If your employees regularly access compromised sites, your electricity bill could soar while your system’s efficiency plummets.
If your own site is cracked by hackers, you could inadvertently rope your prospects into mining. A handful of poorly-handled, well-publicised crypto-mining incidents in customers’ browsers could have a serious impact on your reputation as a secure company.
It’s even conceivable that advanced forms of crypto-mining could tax victims’ systems to the extent that they become unusable, effectively taking compromised machines offline. The results would be disastrous for productivity and reliability alike, ultimately hitting the bottom line.
The key question, then, is how do you defend against a threat type that’s so difficult to detect – so covert? To extend the image, look at espionage - MI5 tackles covert operations with intelligence gathering. That’s the long and short of what companies should be doing to defend themselves in this scenario.
Security teams should be equipped with a threat-intelligence-led defence, as this will provide them with the necessary tools to detect malicious mining activity and the sources of the code running these programmes, along with managing the live threats that come in on a day-to-day basis. Knowledge is power in this case.
If security teams are clued up on their networks, they can easily spot any potential mining activity. The enormous mass of code that these researchers must deal with on a daily basis means that a wide array of threat intelligence can ensure greater accuracy when it comes to threat detection.
Knowledge is also incredibly valuable beyond the internal networks, if you are able to understand who is behind any covert mining which is identified. Is it a single hacker looking to make some extra cash, or a full blown mine illegally using resource from outside its borders? Therefore, sharing is caring.
By accessing open-source threat data from other organisations, and sharing your own, one can build a broad and detailed picture of the adversary they face. Once this information is collated, your defence will be notably strengthened.
The reality is that cryptojacking won’t be going anywhere any time soon. The underlying technology will be around for years to come just as long as there is money to be made, and your systems are vulnerable enough to be targeted. So rather than attempting to win the war, fight the present battle and keep the hackers at bay.
Ensure you have the tools to monitor the activity within the network and register any mining activity before it has a chance to damage your business. In a world of espionage and counter-espionage, the player with the most information wins.
A suspected hacker stole approximately £290,000 in cryptocurrency from digital wallet provider BlackWallet by injecting a malicious code into the firm's DNS server. A malicious code injected by the hacker …