Klepto Currency: Are Hackers Cryptojacking Your Processing Power?

Investment in Bitcoin and other crypto-currencies has reached unprecedented heights and with it, demand for the massive digital processing power required to mine virtual currencies. To quickly generate coins, a new kind of malware is being used to harness hundreds, even thousands of PCs around the globe to accelerate intensive, distributed crypto-mining processes.

Crypto-miners and you, perfect together   
In the race to generate currency, “miners” are utilizing clever tools and techniques to gain access to computing resources. While some techniques are legit, others are questionable, and still others – generally known as “crypto-jacking,” are downright nefarious.

Crypto-jackers do not discriminate: they target anyone and everyone who might “contribute” valuable computing cycles to their cause, from processors that are locked behind firewalls in enterprise organizations, to those on kitchen tables in suburbia. As a low-investment (for the crypto-jacker, that is) way to generate high crypto-currency revenues, crypto-jacking has been increasing rapidly in popularity.

While no one wants to unwittingly host strangers who tie up their processors and run up their electricity bills, crypto-jacking is particularly threatening to enterprises, which can’t run the risk of having their computing environments propagate hacking and malware to visitor browsers. No company can spare computing resources from end-user devices or servers to generate profits for crypto-jackers, rather than their own business purposes. 

Epidemic of crypto-jacking
Mining software library providers, such as Coinhive, market themselves to website owners as a legitimate means to “run your site without ads,” with site users opting to “pay” for free access to games and other resources by allowing crypto-mining software to run on their computers.

While this pay-to-play mining is fine, since users explicitly agree to share their processing power, malicious agents quickly hacked Coinhive and similar scripts for nonconsensual use. These agents illicitly inject code into secure websites using easily accessible JavaScript libraries, and surreptitiously pirate visitor resources to mine currencies. 

Crypto-jacking code has been embedded on a myriad of websites, ranging from Showtime’s television network to the Ecuadorian Papa John’s Pizza. Recently, companies including the Los Angeles Times and Tesla have unknowingly spread crypto-jacking malware to their visitors. 

When unsuspecting users access sites infected by crypto-jacking malware, the web page loads and the in-browser mining code starts running. No installation or opt-in process is required – the code simply captures computer cycles from visitors’ PCs and starts the mining process.

Significantly for businesses, crypto-jacking impacts employee productivity by slowing down PCs, since endpoint processing capacity available for business use is severely reduced. That is just the tip of the iceberg: scripts that run in the background can potentially open gateways for future malware or ransomware attacks.

Crypto-jackers are no match
For enterprise security, a defense-in-depth strategy is essential – layering traditional hardware and software solutions with user vigilance and best practices. Today, signature-based filtering solutions such as firewalls and anti-virus solutions, paired with website filtering and secure web gateways, are highly effective at identifying and stopping known malware files.

These solutions, however, are powerless against browser-executable code that is integrated into approved sites. Sophisticated hackers can discreetly inject crypto-jacking code into even the most secure websites utilizing easily accessible JavaScript libraries.  

Remote browser isolation (RBI) complements existing security measures by stopping browser-borne malware without disrupting the user experience.  

Enterprises are beginning to embrace remote browser isolation. According to Gartner's report, It’s Time to Isolate Your Users from the Internet Cesspool with Remote Browsing, it is predicted that 50% of all enterprises will utilize the power of browser isolation to safeguard against attacks by 2021.

How does remote browser isolation stop crypto-jacking?
True to its name, RBI separates the browsing session from the endpoint device. Web browsing occurs on a virtual browser in a disposable container located remotely on the network's demilitarized zone (DMZ) or in the cloud and streams it directly to the user all in real-time. 

The endpoint remains protected from mining threats and malicious file downloads, while the user is engaged in a completely transparent experience, with no degradation or latency. The container in which the browsing session is conducted, along with all crypto-jacking processes and remaining malicious content, is discarded when the browsing session ends or expires.

RBI tightly restricts the processing resources assigned for each disposable container, as well as the container’s shelf life. As a result, if a mining hack takes control of the processing resources allocated to the container, resources that can be crypto-jacked are so limited and transient that they have no impact on the larger organization.

Perhaps more importantly, because the crypto-jacking malware is disposed along with the container, it cannot open gateways on endpoints of servers for future malware or ransomware attacks.

RBI technology effectively proves to be an essential layer of protection to any enterprise security portfolio. Additionally, it enables enterprises to be more proactive with their cybersecurity initiatives by eliminating access to network resources via vulnerable endpoints. Thus, mitigating the threat of internet-borne cyber-threats such as ransomware and malware. 

What’s Hot on Infosecurity Magazine?