Cryptojacking is king for hackers but can be prevented

By Chris Goettl, Security Evangelistat Ivanti

The financial sector has been reluctant to get fully behind cryptocurrencies, but while it might have experienced something akin to a crash from its peak of close to $20,000 on December 17th2017, Bitcoin (and other cyrptocurrencies) are still hot commodities. Now sat at a little over $6,000, many have cooled off their interest in cryptocurrencies and that volatility has done little to convince banks that their customers should be able to use their credit cards to invest.However, there are still a large number of people who see an opportunity to profit, but a small portion of those interested aren’t looking to invest or mine for the currency themselves; they only want to steal it.

Chris Goettl
Chris Goettl

The practice known as cryptojacking sees malicious actors run cryptocurrency-mining software in the background of a user’s computer without their permission or knowledge. Cryptojacking has quickly become the preferred method of attack for hackers, with a recent report claiming that there has been a “massive shift from ransomware to cryptomining”, with the newer tactic accounting for 35 percent of threats. The vast majority of these attacks will mine for a currency called Monero, which, like others, uses a public ledger but the difference is that Monero’s is obfuscated to the point where no one can tell its source, amount or destination. That obfuscation speaks again to the financial sector’s reticence on making any definitive statements about cryptocurrencies. While blockchain-based currencies have the potential to reduce organised fraud, they are currently largely unregulated, with the UK’s Treasury Committee recently describing the crypto-landscape as a ‘Wild West’.

It’s worth noting that cryptojacking is an entirely new form of financial crime. Unlike a bank robbery or printing counterfeit money, the currency being generated is not what is being stolen. It is the computer time that is being stolen. The cost for common processors to generate crytocurrency is now costlier than the amount of currency generated. So, in this case the threat actor is walking away with the information needed to allow them to claim the next block in the chain and you get stuck with the power bill which was more than the currency generated.In effect, anybody with a computer can mine for cryptocurrency though to make any significant amount of money requires investment in expensive components purpose built for cryptopmining or to transfer that cost to unwitting users, which is what cryptojackers are exploiting.

There are two forms of cryptojacking that both work towards the same end: using a system’s power to mine for currencies. The first form, cryptojacking malware, works in a similar way to other malware variants. Hackers will sneak cryptocurrency miners into software which then runs in a computer’s background processing. This form largely preys upon vectors like out-of-date applications and operating systems, like Windows XP. One large scale crypto hacking attack saw malware inserted into vulnerable versions of the popular Jenkins X platform and hackers pocketed an estimated $3.4 million.

 The second variant called ‘drive-by’ cryptojacking does not require the installation of any software or applications and can be carried out on any device using a web browser. These attacks take place when web pages infected with a mining script are open on a user’s device. The website will then mine for cryptocurrency using the device without the user’s knowledge or consent. Millions of Android users experienced this in early 2018. Many devices browsing the web found themselves forcefully redirected to a page that claimed: “Your device is showing suspicious surfing behaviour. Please prove that you are human by solving the captcha.” Until the particular code was entered, the phone or tablet was mining for the Monero cryptocurrency at the maximum speed of the CPU. With an average time of four minutes spent on the page per user, each user probably only generated fractions of pennies but it all adds up. The hackers didn’t quite earn the same amount of money as the previous example(reportedly ‘a few thousand dollars a month’), but that is still money being earned through cryptojacking, and costs are being passed onto users.

Cryptojacking should have an obvious effect on a device, from overactive fans and a fast-draining battery to uncharacteristic sluggishness in use. These symptoms, while being obvious to someone who is alert to the issue, are easy to go undetected particularly if the devices are still operational. Users tend to only go to the IT help desk in the event that their device stops working altogether. An affected device will not only perform operationally worse, but there is a higher risk of that device ceasing to work altogether. Cryptomining pushes components to their maximum capacity, which if left for too long can break the individual part, or in worst case scenarios the overheating could destroy a device entirely or cause a fire.

On top of the costs of having to potentially replace devices and employees being slowed down, is the added energy bill. For example, the electric cost of cryptojacking (Coinhive in this case) on an average desktop computer was 1.212kWh of electricity over the space of 24 hours.According to the Energy Savings Trust, the average cost of electricity in the UK per kWh is 14.37p, so this would cost 17.42p per day, or £5.22 per month. With potentially thousands of computers affected within a company that could add up to a massive energy bill.

There is no one easy solution to prevent cryptojacking; both administrators and users need to do their bit. Organisations need to carefully monitor and check the devices that are on their networks and when using third party tools they should put protections into place and not link directly to source codes. Businesses also should adopt a layered approach to cybersecurity that reduces attack surfaces, detects attacks that do get through, and helps cybersecurity professionals to take rapid action to contain malicious activity and software vulnerabilities.

From a user perspective, staff should be encouraged to employ best cyber practices. This includes not downloading files from suspicious website or opening attachments from unrecognised email addresses. Users can also protect themselves by employing browser plug-ins that block attempts from websites trying to hijack their PCs.

It should also be noted that the volatility of cryptocurrency itself might end up being the cure for cryptojacking. As mentioned above, Bitcoin (along with other altcoins) have seen their value plummet over the past year. If cryptojacking can no longer prove to be profitable because the investment in the tools required is not matched by the reward, then it may well be the markets that solve the issue.

But while that volatility is out of the control of businesses, what they can do is shore up their infrastructure. Cryptojacking is the latest popular tool of hackers, but with the right mind-set and solution it is easily preventable by keeping applications and operating systems up-to-date. By investing in cybersecurity technology and training for users, organisations can defend against cryptominers and deter them from attacking their systems. And maybe with these systems in place, the financial sector can truly start to see the positives in blockchain-based currencies.