Cryptojacking is a new, sneaky attack that is sweeping the world. What is it, and what can you do about it?
For years, only those with the motivation and technical know-how to install dedicated software could mine for cryptocurrencies. As the price of these digital assets has risen, though, cybercriminals have been eager to exploit others’ computing power without their consent to mine cryptocurrency for themselves. This practice, known as cryptojacking, comes in two forms: browser-based exploits and server-side attacks.
In a browser-based attack, the criminal must still infect a website with cryptojacking code, typically in the form of a JavaScript file. Visiting browsers run the JavaScript and unwittingly begin mining for cryptocurrencies, which the mining malware delivers to the criminal’s address.
In a server-based attack, criminals don’t target website visitors at all. Instead, they go straight for an organization’s server infrastructure, often via cloud-based services that give them the scalability to ratchet up the available CPU power. Attackers have hit Teslaamong others, slurping up vast amounts of computing power and therefore ratcheting up cloud costs.
These attacks don’t necessarily do direct harm to companies’ data in the same way that ransomware attacks do, but they raise several concerns. The first is that by hijacking a server and maximising CPU usage, they potentially render systems less reliable and impact computing service levels.
The second issue is that by compromising servers in this way, criminals highlight weaknesses in a target’s security infrastructure.
Basic cyber-hygiene continues to be a winning strategy. Patching server-based operating systems and applications can help to prevent cryptojackers infecting servers with their parasitical code. Protecting machines used to access and administer websites is an especially good idea, but this alone won’t be enough.
If you are worried about attackers using your back-end infrastructure to mine a cryptocurrency, then monitoring your systems for unusual activity is vital. Watch for heavy CPU usage as a warning sign and perform regular malware scans. Also, consider using a cryptojacking blacklist which will watch for traffic between your infrastructure and domains associated with mining. CoinBlockerLists is a useful resource here.
On a more fundamental level, companies with cloud computing resources should ensure that the developers understand necessary security procedures such as setting access protection on cloud infrastructure. Cryptojackers were able to hack Tesla because it was using a version of the Kubernetes container orchestration system with the default settings, meaning that there is no password protection.
You may also be worried about your website being infected to force visitors into mining via their browsers. Keeping the software used to create your website up-to-date is crucial. Cryptojacking software often exploits flaws in platforms used to build websites. One example is web content platform Drupal, which researcher Troy Mursch believes to be an attack vector in a massive cryptojacking campaign. The WordPress blogging platform has also suffered from attacks.
These hackers can also hijack a website by compromising third-party code the site uses to enhance its functionality. In one wide-ranging cryptojacking attack, the hackers compromised dozens of online destinations including the UK Information Commissioner’s Office by infecting BrowseAloud, an extension that these sites used to read their text aloud to visually impaired visitors.
How can you find cryptojacking malware code lurking on your website? It shows up as JavaScript. Mursch uses PublicWWW, a search tool that trawls website source code across the Internet, to look for references to tell-tale JavaScript libraries that suggest infection by cryptojacking software. Website owners would do well to check their web source code sporadically to look for JavaScript additions or alterations.
Cryptojacking may not directly damage your files or still your data, but it is still an electricity-hogging, performance-hindering irritation. Following these tips will help you to keep your computers – and those of your website visitors – free from this latest form of attack.
The topic of Threats, Exploits and Vulnerabilities will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Threats, Exploits and Vulnerabilities here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.
