Max Heinemeyer, Director of Threat Hunting, Darktrace
Most cyber-attackers aim to steal or jeopardise data, but there are a growing number of hackers that break into your systems to exploit the infrastructure in a different way. They use your computing power to make money by mining for cryptocurrencies – often without you ever finding out.
The weakest point in any cyber-crime operation used to be the monetisation – e.g. selling stolen data or transferring ransom money. Previously, cyber-criminals monetised their operations via banking Trojans/credit card fraud, selling stolen data and ransomware on the Darknet. There used to be a money trail that law-enforcement could trace back to the offenders. Cryptocurrencies allow anonymous monetary transactions, basically eliminating the traceable money trail that was the biggest challenge for a lot of cyber-criminals in the past. Criminals are notoriously adaptable and will follow the money wherever it goes, leading to an increase in the popularity of cryptojacking.
The rise in cryptocurrencies
The last 12 months have shown tremendous volatility in the value of cryptocurrencies, of which Bitcoin is the most prominent example. At the start of 2017, Bitcoin lingered around the $2,000 mark before suddenly taking off, climbing to historic highs of almost $20,000 in December 2017. Demand has since subsided, and at the time of writing, the price of Bitcoin is near to $10,772.
While Bitcoin is the most popular cryptocurrency, numerous alternatives, often called ‘altcoins’ have emerged and grown in value in the last 12 months. The value of most altcoins is closely tied to the value of Bitcoin and, in many cases, the relationship is broadly proportional – a rise in Bitcoin prompting a similar lift in the altcoins. Monero, which has been rapidly adopted by Darknet markets, has profited from this effect. While Monero was valued at around $10 in January 2017, its price has been pumped up to $419 a year later.
Nowadays it is almost impossible to profitably mine Bitcoin on commodity hardware such as laptops, smartphones or desktop computers. At this late state, it just takes too long to perform the relevant calculations, and the cost of electricity is higher than the anticipated revenue in most cases. Other altcoins such as Monero use different algorithms, making them viable alternatives for aspiring crypto-miners. It is often still feasible to mine altcoins on commodity hardware and see a return on investment.
There is much that is still not clear about the cryptocurrency phenomenon. Debate as to its relative value and status as a currency rages and will not be resolved any time soon. However, from a cyber security perspective there can be no doubt that the combination of altcoins being mineable on commodity hardware, the fact that mining is now becoming profitable as a side-effect of Bitcoin’s rise, and a maturity in cryptocurrency-related tech has led to a surge in cryptocurrency-related attacks.
In the past six months alone, Darktrace has detected and intercepted over 1,000 incidents of cryptocurrency mining, and uncovered signs of it in 25% of all customers’ networks – some mining operations are even run by rogue company employees. While the attackers are stealing computing power on a daily basis, they also pose a risk to the wider infrastructure and critical data. An unknown presence on the network is as unpredictable as it is dangerous.
Darktrace has detected several incidents where employees were intentionally installing cryptocurrency mining software on their corporate devices to mine for personal gain – an obvious way to get around the prohibitive cost of electricity for mining cryptocurrency. These employees do not have to pay for the electricity used to run the corporate device in the office, so they turn their employer’s electricity into cash by commandeering it for mining operations. This is a compliance breach, and it increases the attack surface of a device that has mining software installed, putting the corporate device at risk.
However, the users whose devices are mining cryptocurrencies are not always aware of it. Coinhive is a technology that allows website owners to use their visitors’ computing power to mine a tiny fraction of cryptocurrency for the website owner. Visitors will experience a small increase in computer resource consumption while browsing the website. Some websites experiment with this model to create new forms of revenue streams alternative to advertisement and banner placements.
Coinhive usage is often not an opt-in process. Darktrace has observed various customer devices that regularly visit websites leveraging Coinhive technology. While the power consumption increase for a device browsing a website with Coinhive is ultimately negligible, the cumulative effect of a sizeable portion of the workforce unwittingly mining cryptocurrencies while websites using Coinhive results in increased power consumption cost for the organisation as a whole.
An AI-powered defence
Cryptocurrency mining might not be as profitable as ransomware is upfront, but it can be secretly pursued for months without creating the havoc that characterises ransomware attacks. Most users and security products won’t notice a cryptocurrency miner being installed on a corporate device as it does not show obvious threats or messages to a user, except for an occasional increase in the rate of the fan on your computer.
So how can an organisation be sure that the early warning signs of a crypto-mining breach won’t go undetected? Identifying these attacks can be very difficult for traditional security tools as they were not originally designed to catch this type of threat, but AI-powered cyber defense offers the best chance to detect and fight back against crypto-mining attacks – it can correlate even the weakest indicators of such an attack into a compelling picture of threat. While traditional tools may struggle to see these deviations, AI can pinpoint the changes in behaviour effected by cryptocurrency miners without having to rely on any blacklists or signatures.
Revolutionary technologies like cryptocurrencies have both their dark and light aspects. For all of the creative energy released by the blockchain revolution, Bitcoin and its alternatives have quickly become the universal currency of the criminal underworld. There can be no question that cyber-criminals have sensed a new opportunity to make money, and businesses need to adopt technologies that allow them to spot and stop emerging threats, including crypto-mining.