How real is the threat of cryptojacking?
3 December 2018
Danielle Russell, group product marketing manager at AlienVault, an AT&T company, says that 2018 was the year of cryptojacking. Can companies protect themselves and how?
It is commonly understood within the cybersecurity industry that 2017 was the year for ransomware with attacks NotPetya and Wannacry stealing the limelight. In 2016, it was the year of the ‘hack’ or rather the public nature of certain hacks such as the Yahoo Data Breach and Fancy Bear’s successful hack on the World Anti-Doping Agency.
What has become synonymous with 2018? Has ransomware continued to be prominent or have cybercriminals found a new method to their madness? With cybercriminals seemingly latching onto the hype surrounding the emerging cryptocurrency markets, cryptojacking has become the latest craze.
In fact, during the first half of 2018, the number of cryptojacking attacks detected increased 141 percent. So, what is this relatively new type of attack that has been consuming the headlines of 2018?
Also of interest: Cryptojacking incidents in the UK rose by 1,200% in last few months
Definition and Main Targets
For those unclear on cryptojacking, it is the act of using another’s computational resources without their knowledge or permission for cryptomining activities. It involves cybercriminals stealing CPU however they can, including mobile devices, laptops or servers, with the end goal to mine for popular cryptocurrencies like Bitcoin and Monero.
While the traditional mining process for cryptocurriences can often be demanding, expensive and time consuming, cyber attackers have developed this economical (re: free) technique to source new coins by exploiting an individual’s devices. By effectively controlling a victim’s device and turning it into a cryptomining bot, the attack commonly runs in the background, silently, and often without the victim knowing.
A worrying aspect of cryptojacking is that any organisation or individual can be a target. Many make a critical mistake in assuming they are too small or low-profile to be a potential target and fail to adequately place preventative measures. In fact, in a recent slew of cryptojacking attacks, Make-A-Wish Foundation was a victim, along with hundreds of other sites, further proving the lack of morality amongst these hackers.
Also of interest: Is bitcoin the currency of our future?
The devastation caused by ransomware can be brutal to both individuals and organisations alike. You only have to remind yourself of how disruptive Wannacry was to the NHS. Cryptojacking, on the other hand, may be less obvious or noisy, but can still cause havoc to the business if not appropriately handled.
For example, hackers recently injected a cryptomining tool called Coinhive across the wi-fi service at a Starbucks in Argentina, which exploited vulnerabilities on the website and slowed the page loading time, allowing the attackers to absorb more resource power while the customer waits for the website to load. As a result, it drove away customer interaction with the site.
For organisations operating in the cloud, suffering data could become an unfortunate reality. While some organisations might have auto-scaling limits in place to protect against attackers syphoning resources overnight for cryptomining, attackers have devised cryptojacking tools that set out to delete existing services once the limit has been reached.
Yet, even worse could still occur. With cybercriminals becoming expansive and creative with their attack methods, there is a high risk that they will package various attack modules into one attack campaign. This could include a cryptominer nestled alongside ransomware, a keylogger or a backdoor.
Determined to fully maximise profits from an attack, whether by stealing resources, data, or both, organisations and security personnel must not underestimate an attacker’s intentions, so having the appropriate counter measures in place is a step in the right direction.
Also of interest: Smishing and the evolving social engineering threat
Protect Your Company
The best practices for detecting and defending against cryptojacking attacks are no different from detecting other types of malware and advanced threats. Organisations should take a multi-layered approach to security that includes prevention, advanced threat detection, and incident response to help locate any security blind spots across the entire IT infrastructure.
Because cryptojackers commonly target insecure cloud environments, it's important to have visibility of any cloud configuration issues and to be alerted to any anomalous activities and behaviours within your cloud environment, such as a new cloud user starting a high number of instances or deleting other user accounts.
While cloud services typically have their own built-in security features, they vary widely and ultimately do not give you the full context of everything happening across your cloud, multi-cloud, and on-premises environments.
As more mid-size enterprises adopt cloud services like AWS, Azure, Office 365, and G Suite as part of their digital transformation, gaining visibility into where assets are located and ensuring security measures are in place across all cloud environments is paramount.
Whenever new technology is revealed, there will always be criminals determined to exploit weaknesses, and the heightened publicity of cryptocurrency over the past 12 months has certainly attributed to the number of cryptojacking incidences.
Whether this trend will continue, only time will tell but with more emerging crypto markets, it is likely. Nevertheless, security teams cannot rest on their laurels, as while a cryptojacking attack might not be as acutely devastating as a ransomware attack, its cunning manner can still cause serious damage and become a nuisance to any organisation.