Earlier this year, Symantec Threat Intelligence revealed that cryptocurrency mining (cryptojacking, cryptomining) operations rose by 1,200 percent in the UK in a matter of a few months. In March, the UK ranked fourth in the world in terms of cryptocurrency mining operations behind the United States, Japan, and France.
Hackers behind such cryptocurrency mining operations not only targeted individual home computers or enterprise systems but also targeted giant servers and cloud infrastructure to mine cryptocurrency.
In February, for instance, a massive cryptocurrency mining operation forced the government to shut down hundreds of websites belonging to the Student Loans Company, several NHS services, and local councils. The operation was carried out by hackers who compromised a widely-used browser plug-in to spread their web to thousands of websites and subsequently mined cryptocurrency using the processing power of infected devices.
Steve Giguere, lead EMEA engineer at Synopsys, then warned that the technique that hackers employed in February to use government websites to mine cryptocurrency, could also be employed for DDoS attacks in the future.
Cryptocurrency mining beats ransomware attacks
It seems his prophecy is now coming true. A new report from security firm Check Point has revealed that the percentage of organisations impacted by mining rose from around 20 percent last year to 42 percent worldwide in the first three months of 2018.
"Motivated by a clear interest to increase the percentage of computational resources leveraged, and crafted to be even more profitable, crypto-miners today target anything that could be perceived as being in their way.
"As a result, we have witnessed crypto-miners targeting SQL Databases, industrial systems, a Russian nuclear plant, and even cloud infrastructure. Crypto-miners have also highly evolved recently to exploit high-profile vulnerabilities and to evade sandboxes and security products in order to expand their infection rates.
"As threat actors become more aware of the lucrativeness of the crypto-business, even more than other exploits, there is almost never a day that goes by without some kind of crypto-threat making the headlines," the firm noted.
Cloud infrastructure the new target
Researchers at Check Point added that hackers behind cryptocurrency mining operations have taken a new liking for cloud infrastructure, considering that cloud servers have a vast computational power that can facilitate efficient mining. Well-known attacks on cloud infrastructure in the past few months include the ones on Docker and Kubernetes systems as well as the one on Tesla's internal cloud servers.
"Application Programming Interfaces (APIs) that are used to manage, interact and extract information from services have also been a target for threat actors. The fact that cloud API’s are accessible via the Internet has opened a window for threat actors to take advantage and gain considerable access to cloud applications.
"As time passes, it seems that the cloud’s threats will continue to evolve. Attackers will continue to develop more and more tools for their cloud playground, pushing the limits of the public cloud services. Indeed, as new cloud exploitations emerge, there is no doubt that the next attack is already taking place," they warned.
Statistics released by Check Point revealed that of all organisations worldwide that have been affected by cryptocurrency mining malware this year, 30% have been impacted by Coinhive, 17 percent by JSECoin, 7 percent by XMRig, 6 percent by AuthedMine and 3 percent by RubyMiner.
Commenting on the fresh rise in the number of cryptocurrency mining operations, Andy Norton, director of threat intelligence at Lastline, said that cryptocurrencies like Monero have really opened the door for botnet operators to create this trend.
"Monero brought two key things to the criminal arsenal: Firstly it uses the cryptoknight algorithm which is suitable to mine coins on everyday devices, and secondly it uses ring signatures which offer complete anonymity to botnet miner. Recently the botnet operators started adding tried and trusted malware evasion techniques to the mining payloads in order to avoid being blocked by sandbox checks," he said.