Understanding Cryptojacking & Protecting Businesses From It

18 May 2022


Being a more profitable alternative to ransomware attacks and costing less to deploy, cryptojacking is increasingly popular amongst criminals, as reflected in the heightened frequency of such attacks in 2021. What’s more, as cryptocurrencies overall have significantly risen in value in recent years, it is not a far-off estimation that cryptojacking will continue to be prevalent.

Cryptojacking is a cyber-attack where threat actors infect the Internet-connected devices of unsuspecting hosts with malware to harness their computing power for crypto mining, or updating crypto blockchains to create tokens and fees. These new tokens and fees are then transferred to the attackers’ crypto wallets. Cryptojacking can affect not just computers, but smartphones, tablets and even servers as well.

Nowadays, hackers will spread out unauthorised crypto miners across a group of hijacked devices, instead of one host, to mine at a lower intensity and minimise the likelihood of detection. This makes networks of connected computers, including an organisation’s data centre, appealing targets. This also makes botnets an increasingly preferred tool to infect hundreds of machines with cryptojacking malware.

Cryptojacking is a threat of deception

While cryptojacking is generally not purposed for stealing data or damaging systems, it still produces direct and indirect losses for victims that can be compounded the longer it remains undetected. Besides quietly consuming electricity and weakening hardware performance, cryptojacking programmes can open up secured ports to contact their command-and-control infrastructure and disable antivirus software. This raises the vulnerability of a network to other attack vectors. Or, cryptojacking can be used by hackers to hide more complex attacks like keylogging, data exfiltration, and credit card skimming.

Sadly, performance reductions in computer systems can be attributed to an extensive variety of causes, so users will oftentimes not be able to tell if their devices are infected with cryptojacking malware right off the bat. In most cases, the malicious scripts will continue to run indefinitely in infected systems. With that said, there are fortunately some security measures that organisations can take to protect their assets from cryptojacking attacks, as you will find out further down this article.

How is cryptojacking deployed?

Cryptojacking code infiltrates hardware systems via several methods, with browser-based script injections and phishing as the top picks among cybercriminals.

● Browser-based script injections

For this attack tactic, hackers employ web-based cryptojacking tools to inject scripts into high-traffic websites and digital advertisements featured on several domains. Coinhive, the crypto miner which websites could secretly install on visitors’ computers and was shut down in 2019, is an infamous example of this type of tool.

A few years ago, the rampant cryptojacking exploits utilising script injections were such a problem that tech giants have taken severe action against them. Back in 2018, Apple banned crypto-mining apps on its iOS platform to reduce the risk of cryptojacking attacks happening to its users. In the same year, Google announced that it will block any crypto-mining extension submitted to the Chrome store.

● Phishing

Cryptojacking criminals also have phishing, one type of social engineering method, in their arsenal. Phishing involves sending out mass emails which contain attachments and links embedded with cryptojacking malware like XMRig and CoinMiner. As these emails pretend to come from legitimate sources or authority figures, users are tricked into opening the malicious links and attachments in them. The crypto-mining scripts are then downloaded directly onto a system’s computer memory and allowed to run perpetually in the background without user knowledge.

The currency of cryptojacking

With Bitcoin’s popularity and high value on the crypto market, anyone would presume it to be the most mined virtual money in cryptojacking operations. However, in reality, most attackers mine the open-source cryptocurrency Monero. Latest research has discovered that the level of illegal crypto mining is consistent with the value of Monero. Moreover, whenever Monero’s market value rose, the volume of illicit mining in the wild appeared to follow suit.

The main reason many cryptojacking offenders prefer using Monero is its CPU-friendliness; it can be mined on any computer or smartphone. This contrasts with Bitcoin, whose mining algorithm demands substantial computing power and an application-specific integrated circuit (ASIC) setup. In addition, Monero’s wallet addresses are hard to identify, and its transactions are kept private, making it an ideal coin for attackers to mine while covering their tracks.

What the cryptojacking problem looks like today

Cryptojacking attacks were the most prolific in 2017 and 2018. However, they are now a largely underestimated cyber threat; due to the various countermeasures rolled out by technology corporations since then to clamp down on such crimes, many have apparently lowered their guard against the lurking dangers. However, according to research, it is suggested that crypto miners were the most common malware family of 2021, with 74,490 threats identified in the first half of last year.

Prometei, a modular and multi-stage cryptocurrency botnet, is among the more recent and deadly cryptojacking threats to organisations’ systems. The botnet works by exploiting two vulnerabilities in the Microsoft Exchange server which were also targeted in the Hafnium attacks. Observed to be active in the systems of different industries in many countries, the main goal of Prometei is to mine Monero on as many endpoints across a network as possible. To do this, it employs a multitude of tactics, from stealing credentials to using known exploits like EternalBlue.

Key signs of cryptojacking

Some of the telltale signs of a cryptojacking attack include:

● Unusual and drastic performance drops or a sluggish operating system (OS) experience on devices. Symptoms include continual crashing, lagging and higher-than-normal battery consumption despite no changes in usage.

● Overheating device batteries – as a lot of computing power is channelled towards crypto mining, devices will heat up as a by-product of this process. As computer and laptop fans will run abnormally faster to cool the devices down, hearing them incessantly emit a loud whirring sound can also point towards cryptojacking.

● Higher CPU usage or unexplained device shutdowns when visiting a website with little to no media content, potentially signalling the occurrence of activities in the device’s background which exceed its processing capacity.

● Sudden and unexplainable hikes in electricity usage and costs.

How businesses can prevent cryptojacking

There are plenty of steps companies can take to prevent the potential disruption and costs associated with cryptojacking attacks:

1. Install browser extensions to block cryptojacking

As cryptojacking scripts are often based in web browsers, downloading browser extensions will ensure that such scripts are blocked from running on a company’s devices.

2. Use ad-blockers

The organisation’s standard web browser for daily operations should have ad-blocker extensions downloaded and be regularly updated. These extensions detect and block crypto-mining scripts hidden in online advertisements.

3. Cybersecurity education programme

As phishing is one of the main tactics used by cyber-attackers to sneak crypto miners onto users’ devices, raising cybersecurity awareness amongst organisation employees will enable them to identify and avoid falling for phishing attacks. It is also important to inculcate in staff the practice of reporting any poorly-performing devices to the information technology (IT) department for further investigation.

4. Mobile device management (MDM)

By implementing a comprehensive mobile device management (MDM) policy, organisations can better ensure the safe and responsible usage of devices, extensions, and applications by employees. This can help them to deter the spread of crypto-mining malware in any instance that it is discovered in their networks.

5. Network monitoring

Closely and proactively monitoring on-premise and cloud environments helps organisations to detect malicious activities, including unauthorised crypto mining, in their early stages. Cyber defence strategies like behavioural monitoring, vulnerability scanning, and security information event management (SIEM) are all fundamental to this step. Just as important is for cybersecurity personnel adept at handling cryptojacking attacks to dedicate painstaking attention to surveying the network and blocking criminals’ infiltration attempts.

6. Endpoint protection

Crypto-mining code can evade conventional signature-based detection methods. Hence, businesses may need more advanced endpoint tools to maximise their endpoint visibility and collect more critical intelligence to confine and terminate cryptojacking attacks.

7. File integrity monitoring (FIM)

File Integrity Monitoring (FIM) assists businesses in monitoring and analysing the integrity of important assets, such as software applications, operating system (OS) components, network devices and databases, for indicators of unauthorised data alterations that may suggest a cryptojacking exploit is happening.

Conclusion

It currently appears that cryptojacking is far from being an urgent cyber threat. However, it still poses a risk of disrupting businesses’ performance and increasing operation costs by covertly taking advantage of their resources. As such, it is only responsible to adopt the necessary precautions to prevent cryptojacking from affecting your organisation.

At GROUP8, we know the importance of robust cybersecurity controls to any modern establishment to prevent and respond to numerous cyber-attacks. This is why we offer highly effective cybersecurity services in Singapore based on the philosophy of offensive-inspired cyber defence, ensuring our clients have unparalleled threat intelligence visibility. Do not hesitate to reach out to us at hello@group8.co to learn more about our industry-leading services.