What Is Cryptojacking and How to Protect Your Enterprise and Devices
Cryptojacking: The Silent Intruder
Cryptojacking, as the name suggests, is when criminals gain unauthorized access to targeted devices and steal their computing power to mine cryptocurrency. Different from a typical cyberattack that directly damages the victim’s system and data, cryptojacking is unique in that attackers try their best to avoid causing any noticeable disruption to the victim so that they can stay under the radar, secretly consuming the victim’s computing resources.
The Rise of the Cryptomining Business
With tremendous investments pouring into the cryptocurrency market, some of the most popular coins like Bitcoin (BTC) and Ethereum (ETH) now have hundreds of billions of dollars in market capitalization. This has made cryptomining a lucrative business for those who want to earn some quick cash.
Since cryptocurrencies operate on decentralized databases called blockchains, they rely on individuals to provide computing power to create each new block. These individuals then get a small amount of coins for each contribution. Such practice of trading computing resources in return for cryptocurrency is called cryptomining.
From Cryptomining to Cryptojacking
Despite seeming like a profitable business model, the huge overhead expense of cryptomining makes it difficult for the average person to participate. To start mining, a large number of highly efficient and powerful computing devices are needed. Regular PCs in the consumer market are far from efficient enough to generate any meaningful profit unless operated at a tremendous scale.
Ongoing electricity cost is another heavy burden. To process an average Bitcoin transaction, over 1,000 kWh of electricity is needed, enough to power a house for six weeks–just imagine being hit by six weeks of electricity bills every ten minutes.
This is how crytojacking became popular. By stealing computing resources (and electricity) from their victims, cryptojackers benefit from the gains of mining cryptocurrencies like Bitcoin, without having to purchase powerful computing hardware and pay for astronomical electricity bills.
Moreover, compared to other financially motivated cyberattacks, cryptojacking requires very little technical skill since pre-made software can be found on the dark web for less than $100. A ransomware attack, on the other hand, requires sophisticated skills to deploy and operate. Readily available ransomware-as-a-service (RaaS) costs much more than cryptojacking software and requires the attacker to make a range of commitments.
Additionally, the risks involved with cryptojacking are much lower than that of ransomware deployment because cryptojacking can stay undetected for a very long time. Even after the victim detects the intrusion, they have very little incentive to report it to the police because nothing is stolen, whereas ransomware attacks can escalate quickly and make global headlines.
Three Types of Cryptojacking Methods and Prevention
The concept of exploiting a device for cryptomining is straightforward; the attacker needs to run cryptojacking code on the device, giving the device instructions to secretly mine cryptocurrencies in the background. The code is usually deployed using cryptojacking software. Such software has become increasingly capable of staying undetected. For example, rather than consuming the entire CPU, it can limit itself to consume only up to 30% of the processing power so that no noticeable slowdown or lag is experienced by the user. Here are several common methods attackers use to deploy cryptojacking software.
1. Phishing
Like most cyberattacks that aim to deploy malware on their targets, phishing is always a popular choice because the victim essentially makes the deployment for the attacker. By composing seemingly legitimate emails or chats, the attacker can trick the victim into clicking a corrupted link or attachment that runs the code locally on the computer. Unlike other types of malware or ransomware attacks, since the entire process is meant to be hidden under the table, the victim might never realize they were tricked.
Most often, phishing-based attacks deploy and store the cryptojacking software directly in the targeted computer. Once infected, it stays with the device indefinitely unless otherwise detected and removed. Since they sit within the computer for the whole time, these locally stored malware programs are relatively easy to discover through close inspections. It is also more likely for users to notice a persistent change in computer performance.
2. Injection
Compared to phishing, injection is a more advanced cryptojacking method that can be deployed on a larger scale. The attacker compromises a targeted website and injects malicious JavaScript or HTML code either into the webpage or into the ads that run on the page. Every time a visitor lands on the infected webpage, the script gets executed by the browser, which deploys the cryptojacking software within the browser. This method uses the browser as a medium to consume the computer’s processing power.
In this case, since the cryptojacking software runs within the browser, no code is stored locally in the computer. This makes it almost impossible for individual end-users to find out that they are being exploited. Even if the victim opens the task manager and sees their browser consuming 70% of the CPU, most unsuspecting users would blame it on the browser and not give it a second thought.
Deploying cryptojacking code by injection gives the attacker the ability to infect a large number of website visitors. Although most browser-based cryptojacking tools only operate when users open the browser, some advanced programs can continue mining even after the browser is closed. Usually, cryptojacking groups use a combination of phishing and injection attacks to find a balance between file-based and browser-based mining.
3. Cryptojacking worms
More recently, cryptojacking has gone a step further with the emergence of cryptojacking worms. These worms move laterally across enterprise networks and cloud environments by stealing the login credentials of servers and devices. Once these credentials are stolen, the malware gains access to the host device and runs cryptojacking code.
Cryptojacking worms usually target organizations with large IT networks, including both on-premises and cloud networks. In 2020, the first cryptojacking worm optimized for the AWS environment was discovered. Released from cryptojacking group TeamTNT, the worm was known to infect AWS cloud servers and steal their processing power to mine Monero coins.
Prevention
To protect against cryptojacking attacks, it is most effective to prevent the initial intrusion. For instance, website hosts should adopt a web application firewall (WAF) to protect their websites from injection attacks. As WAF adoption rate has increased over the past few years, the number of websites injected with cryptojacking code has significantly decreased. A WAF can also protect all kinds of network intrusions from entering through the application layer. To learn more about WAFs and Penta Security’s third-generation logic-based WAPPLES, see here.
For more information on security implementation, check out Penta Security’s product lines:
Web Application Firewall: WAPPLES
Database Encryption: D’Amo
Identity and Access Management: iSIGN+
Automotive, Energy, Industrial, and Urban Solutions: Penta IoT Security
For detailed inquiries, contact Penta Security’s security consulting team.