Visible to the public SoS Musings #19 - Unpacking CryptojackingConflict Detection Enabled

SoS Musings #19

Unpacking Cryptojacking

Cryptocurrency is a digital currency that is becoming an increasingly popular form of investment. In contrast to regular forms of currency, cryptocurrency is not centrally managed or facilitated by banks or other financial institutions. The "crypto" in cryptocurrency derives from the utilization of cryptography to secure and verify the transfer of funds. Cryptocurrency transactions are processed and finalized via a decentralized distributed ledger, called blockchain. Cryptocurrency mining is the process in which the digital currency is created. The process of cryptomining requires miners in a blockchain network to verify cryptocurrency transactions by solving complex mathematical problems with cryptographic hash functions in order to add blocks of cryptocurrency transactions to the chain. This process is competitive as the miner who successfully solves a problem and adds the block first, is rewarded with cryptocurrency. In addition, a cryptominer must also have the equipment necessary to effectively mine cryptocurrency. A standard PC is no longer sufficient enough for cryptomining as the process requires a massive amount of processing power and electricity to perform, and the amount of people mining has increased significantly. Therefore, miners must have high quality GPUs or computers containing specialized hardware geared towards cryptomining, which drives up the cost of participating in this process. In order to compete, hackers have turned to the malicious act of cryptojacking to steal computing sources.

The computationally demanding process that is mining cryptocurrency has led to a significant increase in cryptojacking, which is a type of attack known as the unauthorized hijacking of unsuspecting users' computer processing power in order to mine cryptocurrency. Hackers are continuing to use the illicit method of cryptojacking to increase the speed at which cryptocurrency mining occurs without having to invest in their own specialized computer equipment required to legally and effectively mine cryptocurrency. There are two main forms of cryptojacking, one of which involves the use of phishing tactics to deceive users into downloading cryptomining malware onto their computing devices and the other involving the injection of cryptomining scripts into websites or widely distributed web ads. According to Symantec's Internet Security Threat Report, there was a rapid increase in cryptojacking attacks in 2017 as the security company reported that an estimate of 8 million cryptojacking events were detected and blocked just in the month of December. In the first quarter of 2018, McAfee observed a 629% increase in cryptojacking malware samples. Although these attacks do not affect data, they can drain computing resources leading to slower computer performance, higher electricity bills, and a decrease of device lifespans. These attacks affect both individuals and organizations, but the consequences faced by organizations when hit by cryptojacking attacks are higher in that they may significantly raise the costs of electricity and IT labor as well as diminish opportunities.

Recent reports surrounding cryptojacking attacks have highlighted the prevalence and amplification of such attacks. According to Check Point's Global Threat Index for September 2018, two of the top malware threats detected by the security company performs cryptocurrency mining, which include Coinhive and Cryptoloot. Coinhive and Cryptoloot are legitimate online services that allow website owners to generate an alternative source of revenue by mining cryptocurrency on their sites using JavaScript libraries. However, these JavaScript libraries have been misused by malware authors to perform cryptojacking on hacked sites, mobile apps, desktop software, and more. Coinhive has been observed by Check Point researchers to be the most prevalent mining malware as 19% of organizations are now being impacted by this malware globally. Recently, Coinhive mining malware has been used in the infection of more than 30,000 MikroTik routers across India following an infection of over 200,000 MikroTik routers across Brazil that also used Coinhive mining malware. These incidents involved the use of routers' capabilities to inject the malware into web pages visited by users of the compromised devices to mine Monero cryptocurrency. In addition, a 400% rise in cryptojacking attacks targeting Apple iPhones using Coinhive mining malware has been reported by Check Point. Another cryptomining malware, called XMRig, has recently been discovered by Palo Alto Networks' Unit 42 threat research team to be distributed via fraudulent Adobe Flash Updates that appear to be legitimate as it actually downloads Flash Player updates whilst installing the cryptomining malware on unsuspecting victims' PCs to mine Monero. RedLock has also brought further attention to the infiltration of public cloud environments by hackers to use the cloud computing resources of these environments to mine cryptocurrency. Cryptojacking is also a threat to critical infrastructure as shown by the injection of cryptomining malware into a water utility's control system in Europe that could have disrupted the management of the plant. As cryptojacking attacks continue to grow in frequency and intensity, security practices must be implemented or strengthened to prevent and detect such attacks.

Cryptojacking attacks are expected to continue to rise in conjunction with the increasing popularity of cryptocurrency, which calls for the improvement of security practices by organizations and individuals to prevent such attacks. Recent cases in which MikroTik routers were compromised to perform cryptojacking highlight the importance of device owners applying patches issued to address the critical vulnerabilities that can be exploited by hackers to install cryptomining malware. The increase in cloud cryptojacking calls for database encryption and constant monitoring of cloud resources. As the execution of cryptojacking attacks relies mostly on phishing tactics and the injection of malicious scripts into websites or web ads, it is important that security awareness training, ad blocking, and advanced endpoint protection are considered to enhance knowledge about the ways in which phishing can be used to distribute cryptomining malware as well as effectively detect and block crypto miners. Network monitoring is a recommended solution for organizations in detecting cryptomining activity as the monitoring of all web traffic would most likely detect such activity. In efforts to combat the increase in malicious cryptojacking activities, Google has also banned and removed cryptocurrency mining extensions from its browser and Chrome Web Store.

As cryptojacking attacks continues to grow, individuals and organizations must be aware of the ways in which such attacks are distributed and performed in order to avoid falling victim to such attacks. Researchers must also continue in an effort at detecting these attacks and encouraging the use of best practices against these attacks.