Undermining Crypto-Threats

Covert crypto-mining has become a major new security concern for companies and individuals alike.

Recent research by Willem de Groot has found that at least 2,500 sites are running crypto-mining code in the browsers of unsuspecting users. Despite Bitcoin’s well-publicized slump there’s still dollars a-plenty to be had in the world of cryptocurrency, and it hasn’t taken the cybercrime world long to find a way to exploit it. 

This is a new threat, but it has the potential to become the next incarnation of ransomware - victims’ CPU resources will be bled dry by malicious code, their systems grinding to a halt as they earn money for a hostile actor. It’ll be much harder for law enforcement to track the perpetrators, as there will be no need for direct contact or payment, giving the hackers an extra layer of anonymity. 

How does crypto-mining work?
Crypto-mining is the process of harnessing large-scale computing power to solve cryptographic problems as fast as possible. Each cryptocurrency software publishes a new problem every few minutes, and the first person to successfully crack it by finding the correct cryptographic ‘key’ is given a ‘reward’ in the relevant currency. 

The cryptography is designed so that the only way to find the key is to spin random numbers until you hit on the right one by chance. In pursuit of this goal, hackers can draw on compromised machines’ CPU and power supply to help solve the problem. 

The sheer number of machines working on each problem worldwide means that you need a lot of power to be the first to find the solution. The average ‘crypto mine’ – really just a massive server installation spinning random number generators at colossal speed – uses electricity at an extremely expensive rate, and needs a lot of human maintenance.

How does that affect me?
At some point in the last few years, an enterprising miner clearly hit on the idea that it would be much cheaper to use somebody else’s computers and electricity than their own. Since then, the number of cases of ‘cryptojacking’ has spiralled upwards.

There are a few ways an innocent bystander can be tricked into a mining service. Hackers can exploit known system bugs to gain access to out-of-date web software (as in the examples found by de Groot) and then direct it to mine behind the scenes in users’ browsers.

They can create spoofed sites to implant malware on visitors’ machines, which links their CPU to your mining operation; or they can use phishing emails to deliver malicious code and hook victims into their mining network – really just an update to the old botnet formula.

Why is that worrying?
Obviously, security teams should be well-versed in how to resist phishing and spoofing. The malware doesn’t have to be implanted directly onto your system to pose a danger: simply visiting a corrupted site can hook your computer’s power into a covert mining operation for as long as the page is open – and there’s no easy way to tell if a site has been compromised.

The upshot of all this is that covert crypto-mining poses a serious financial and reputational danger to companies. If your employees regularly access compromised sites, your electricity bill could soar while your system’s efficiency plummets.

If your own site is cracked by hackers, you could inadvertently rope your prospects into mining. A handful of poorly-handled, well-publicized crypto-mining incidents in customers’ browsers could have a serious impact on your reputation as a secure company.

It’s even conceivable that advanced forms of crypto-mining could tax victims’ systems to the extent that they become unusable, effectively taking compromised machines offline. The results would be disastrous for productivity and reliability alike, ultimately hitting the bottom line.

What can I do?
The key question, then, is how do you defend against a threat type that’s so difficult to detect – so covert? To extend the image, look at espionage - MI5 tackles covert operations with intelligence gathering. That’s the long and short of what companies should be doing to defend themselves in this scenario. 

A threat-intelligence-led defense can provide security teams with the tools they need to avoid malicious sites and apps, detect mining activity and identify likely sources of malicious code, as well as handling live threats.

You need to know everything that’s going on in your network to be able to spot potential mining activity. With thousands of lines of code to review every day, having access to a wide array of threat intelligence is a key way to help your security analysts up their accuracy. 

It’s also helpful to get an idea of who might be behind any covert mining you encounter. Is it a lone actor trying to make some money on the side, or a major mine illegally pulling in resource from outside its borders?

By accessing open-source threat data from other organizations, and sharing your own experiences in return, you can build up a picture of the likely tactics and tools used by different miners. Once you have that information, you’ll be better able to target your defense and predict which doors in your system are going to be pushed the hardest.

Cryptojacking isn’t a passing trend. The underlying technology is here to stay in one form or another, and as long as there’s cash to be had, your systems are a target. Make sure that you’ve got the tools to closely monitor what’s going on in your network and detect any mining activity before it takes a toll on your business. In a world of espionage and counter-espionage, the player with the most information wins. 

What’s Hot on Infosecurity Magazine?