Cryptojacking doesn’t destroy data. Instead, it chews up computing resources. Danny Bradbury asks whether criminals have finally found a largely victimless crime
"It's a straight-up theft of resources"
Twenty years ago, non-profit projects began asking volunteers to solve science problems using their spare computing power. Initiatives like SETI@HOME would quietly use home PCs to scan radio signals for signs of intelligent life. Today, crooks are using victims’ CPUs for less noble purposes, making millions from illicitly mining cryptocurrency.
Before Bitcoin’s rise to fame in the first half of this decade, most people wouldn’t have known what mining was. Until the cryptocurrency launched in 2009, anyone sending money online needed a central arbiter such as a bank or PayPal to process the transaction. That arbiter maintained a ledger that recorded who had sent what to whom.
The blockchain technology underpinning Bitcoin replaced that central ledger with a distributed one, giving a copy to all participants and writing its transactions to each.
To stop people fraudulently rewriting transactions, the blockchain ‘seals’ them using cryptography sums that are hard to complete. Known as a proof of work, these sums are hard to solve, and computers on the network compete to do so. Winners earn a reward. In Bitcoin’s case, that’s 12.5 Bitcoins, and miners can also earn extra transaction fees.
As the price of cryptocurrencies has risen, criminals have co-opted other peoples’ computers en masse to illicitly mine for cryptocurrencies, in an attack known as ‘cryptojacking’. “They’re making a lot of money doing it,” says Troy Mursch, a Las Vegas-based security researcher who runs the Bad Packets Report. “It’s a straight-up theft of resources. Everyone needs to be aware, from small businesses to large enterprises.”
Mursch is making a name for himself finding websites infected with cryptojacking software that runs JavaScript code in a visitors’ browser to mine for cryptocurrency. He recently found 30,000 of them, including the LA Times interactive homicide report webpage, all using visitors’ CPU power to earn coins for crooks.
The most common browser-based cryptojacking tool is Coinhive, found on the majority of compromised sites. The trick for attackers is to get these scripts onto systems and keep them running for as long as possible.
“The whole point with in-browser models is that you need a website where the user will be there for longer than normal, and you need a lot of concurrent active users on the site,” Mursch says. “The websites that make the most money with Coinhive are video streaming sites or image boards.”
There is one kind of site that people commonly spend lots of time browsing for images. Porn sites accounted for half of all cryptojacking scripts, according to research from Chinese security software firm Qihoo 360 Technology’s 360Netlab research team.
"It's much more of a grey area when you're using the processing power and electricity of an organization versus holding their data for ransom"
The Economics of Cryptojacking
Deciding what cryptocurrencies to mine when cryptojacking involves a careful balance between economics and technical capability. Bitcoin’s mining algorithm supports application-specific integrated circuits (ASICS), which are chips dedicated to its code-cracking task. Most Bitcoin mining now happens in large data centers with equipment dedicated to that purpose.
Bitcoin becomes more difficult to mine as more computers do the sums (called hashes) to compete in its mining contests. Bitcoin’s hash rate is a function of its value. It hit nearly 24 million Terahashes per second in March, up from 3.8 million Terahashes a year prior, as its price skyrocketed.
Cryptojackers co-opting general purpose CPUs couldn’t compete. They needed alternatives. There are well over 1000 different cryptocurrencies, and many of them are far easier to mine because they use proof of work algorithms that don’t need ASIC hardware. “You tend to see people moving around as popularity rises and falls in peaks and troughs,” explains Neil Haskins, director of advisory services EMEA at security firm IOActive.
The current favorite is Monero, an open-source cryptocurrency created in 2014 and focused on privacy. Unlike Bitcoin, this digital asset is CPU-friendly, making browser-based mining ideal.
The cryptocurrency also has other features that appeal to cryptojacking crooks, says Haskins. It is designed to obfuscate transactions in a way that Bitcoin doesn’t. Bitcoin ties transactions to specific addresses. Monero uses addresses interchangeably.
“Monero pushes this untraceable transaction capability, this anonymity,” he adds. “From a bad guy’s perspective, they can sit and hide in the Monero network.”
Compromised Devices
Instead of luring visitors to websites, botnet operators just install the malware directly to keep it mining whenever a computer is on. Proofpoint researchers found cryptojacking botnet Smominru earning around 24 Monero each day since early 2017, equating to nearly 9000 Monero valued at over $3m.
Sherrod DeGrippo, director of emerging threats at Proofpoint, sees the same old botnet operators folding cryptojacking into their existing arsenals.
“You’re already distributing a banking trojan and a keylogger or a credential stealer,” she says. “Why not stick a coin miner on there as well and get two for one?”
Attackers hungry for computing power are also attacking another target: enterprise servers, which offer tempting processing and memory resources. “With almost every incident response engagement that our guys did, we were finding cryptocurrency miners,” says Mike McLellan, author of a report for Dell-owned security firm SecureWorks on cryptojacking. His company frequently finds cryptojacking malware such as XMRig and Coinminer on victims’ machines.
These attacks extend from on-premise servers into the cloud, which provides attackers with the elastic computing resource they need to mine more coins.
As early as December 2013, crooks were hacking online cloud accounts and using those resources to clock up CPU time. They accessed Melbourne-based programmer Luke Chadwick’s Amazon Web Services account using an Amazon Key that he had unwittingly uploaded to his public GitHub repository. They clocked up $3420 in CPU time across 20 Amazon virtual machines mining Litecoin.
These instances are getting increasingly sophisticated. Surveying 12 million public cloud resources, security firm RedLock believes that 8% of organizations have suffered from cryptojacking activity. These include Tesla, UK insurance giant Aviva and smart card manufacturer Gemalto. Attackers compromised Tesla’s cloud infrastructure via instances of the Kubernetes container orchestration software that the companies had installed without login protection.
Protecting Yourself
Monitoring is one way of protecting yourself against attacks on cloud-based and on-premise servers alike, warn experts. “Always monitor public cloud environments for internet-exposed resources to detect these type of issues,” says Gaurav Kumar, CTO and head of the Cloud Security Intelligence (CSI) team at RedLock.
The company also noted that 80% of the 12 million cloud-based resources it saw do not restrict access to outbound traffic. Administrators can at least use a blacklist like CoinBlockerLists to spot and block traffic to known sites associated with mining domains.
As attacks get more sophisticated, though, monitoring traffic destinations won’t be enough. The Tesla hackers cloaked the IP address of their self-installed mining pool software behind the CloudFlare content delivery network. They also used a non-standard port to help avoid port-based traffic detection.
Cat and mouse games between attackers and network administrators make it essential to monitor CPU activity too, warn experts. However, that gets trickier as organizations increase in size. “Nefarious activity may go unnoticed at large organizations due to the size of the environments, and they tend to be less sensitive to cost increases arising from the use of additional computing power,” says Kumar.
“You’re already distributing a banking trojan and a keylogger or a credential stealer, why not stick a coin miner on there as well and get two for one?
Some cryptojacking malware already throttles traffic to stay below the radar, points out Mursch, which can make it difficult for even smaller companies or individual victims to see what’s happening
While some cryptojacking attacks use powerful servers, others target an army of small devices. “Mobile devices definitely present a potential target area,” says Proofpoint’s DeGrippo. “The processing power of these devices is pretty good.”
Some Android-focused malware has already made it to the wild. ADB.Miner is an Android cryptojacking worm that reportedly uses the same code found in the Mirai IoT malware to propagate between Android-based smartphones. It has also turned up on some smart TVs, according to 360Netlab.
The New Normal
Where will this all end? Don’t expect cryptocurrency mining to stop anytime soon. Ransomware has to announce itself, whereas cryptojacking malware relies on flying under the radar. “Criminal use of cryptocurrency miners will become the new normal for as long as cryptocurrencies retain enough value to make it worthwhile,” says SecureWorks’ McLellan.
The damages from cryptojacking are also far lower, points out DeGrippo, which exposes criminals to fewer recriminations. Many customers finding this kind of malware may merely erase it and not report it at all.
“It’s much more of a grey area when you’re using the processing power and electricity of an organization versus holding their data for ransom, so I think there’s some attractiveness there,” she says.
Some see in-browser cryptomining as benign enough to support a new business model as a legitimate and voluntary activity. Salon recently used what a spokesperson described as “the latest version” of Coinhive to give users an alternative to viewing ads. A charity, Bail Block, asked visitors to willingly mine cryptocurrency as it raised bail money for non-violent offenders in a variation on the original SETI@HOME idea.
Illicit cryptojacking may be the perfect crime, just so long as markets continue to crave cryptocurrencies and drive up prices. It isn’t a victimless crime because the malware still consumes computing power and could render computers unstable. Nevertheless, it’s a crime that doesn’t destroy data so much as prey on electrical power, using parasitical software to chew up computing resources one CPU cycle at a time
You can find out more on this topic at our upcoming Infosecurity Magazine Online Summit, Tuesday 11th Sept during our hour long panel session:
Cryptojacking: Exploring the Phenomenon that is Illicitly Mining Cryptocurrency
Find out more here: Infosecurity Magazine Online Summit