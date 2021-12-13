Phil Muncaster discovers that a combination of surging crypto prices and the pandemic have given cyber-criminals a shot in the arm...

There was a time a few years ago when cryptojacking supplanted ransomware as the pre-eminent global cyber-threat. As detections of the latter slumped in 2018, incidents involving cryptocurrency mining malware surged on the back of a thriving digital currency market. Many commentators claimed this was a sign of things to come. Cryptojacking is easier to make money from because threat actors don’t need to extract payment directly from their victims – they simply add more compromised machines to ramp up mining capability. Or so the argument went.

Then came ransomware-as-a-service, affiliate groups and double extortion – driving a renaissance in ransomware that saw attacks soar 485% in 2020, as home workers and remote access infrastructure were remorselessly targeted during the pandemic. Yet cryptojacking never went away. In fact, it evolved in the intervening years to become something arguably even more prolific. So the question is, should CISOs really care if the only apparent impacts are higher energy bills and slightly slower servers?

Stealing Compute Power

Cryptojacking, on the face of it, has always seemed a lower-level threat than the likes of data breaches, banking Trojans, DDoS and of course, ransomware. At a very high level, it involves the unauthorized use of a victim’s computing power to mine for cryptocurrency in order to generate profits. A variety of coin mining malware has been designed to achieve these ends. Enterprise targets offer arguably the richest pickings in terms of processing and memory resources, although campaigns have been known to go for large numbers of lower-powered smart devices conscripted into coin mining botnets.

One thing is clear: it’s still a popular way to make money. CrowdStrike’s recent OverWatch report recorded a 100% year-on-year increase in detections of cryptojacking intrusions, which it puts down to a sharp rise in the value of digital currencies from late 2020. Skybox Security claims to have seen double the volume of cryptojacking malware in the first half of 2021 versus the previous year. Monero remains the most popular currency to target, as the mining requirements are much lower than those for Bitcoin and there’s no tracking of transactions.

What’s Changed Since 2018?

To an extent, the same techniques are being used to get coin-mining code onto victim systems today as they were when Infosecurity reported on cryptojacking three years ago. That means scripts embedded into web pages that automatically execute when users visit, or phishing tactics designed to trick users into installing the malware directly on their machines.

However, some actors are going to more extraordinary lengths to stay hidden, according to Nathaniel Quist, senior threat researcher at Palo Alto Networks’ Unit 42.

“Cryptojacking groups vary in sophistication and capability. Some groups, like those behind campaigns such as dbused, avalonsaber and opsec_x12 appear to use copied, stolen or patched-together code, which lends their operations to being easier to detect and prevent. Others such as TeamTNT, Lemon_Duck and WatchDog have elevated their cryptojacking operations to include near zero day, or 1-day, attacks against cloud infrastructure,” he explains to Infosecurity.