crypto hijacking - the rising malware menace.png

In the last several years, cryptocurrencies like Bitcoin have been inaudibly growing in popularity, with an ever-larger number of people buying and selling them. With this gained popularity, bitcoin has hit the mainstream and become a worldwide phenomenon, more people than ever are looking to get into the cryptocurrency game.

However, the production of cryptocurrencies isn’t anything like that of regular money you will find a high street bank. It has no central authority that issues new notes; instead, bitcoins (or Litecoin, or any of the other so-called ‘alt-coins’) are generated through a process known as ‘mining’. So, what is cryptocurrency mining, and how does it work, and how businesses should pay attention?

Cryptocurrency mining and the blockchain

Businessman holding icon with ICO or Initial Coin Offering on interface virtual screen. Digital currency network concept

Before trying to understand with the process of cryptocurrency mining, I need to explain what blockchain is and how that works. The blockchain is a technology that supports almost every cryptocurrency. It is a public ledger (decentralised register) of every transaction that has been carried out in that cryptocurrency.

These transactions are collected into what are called “blocks”, which are verified to ensure they are legitimate by cryptocurrency miners. This check if the same coin hasn’t been expended again before the transaction has cleared, and that the input and output expenses tally. Then the next sequential transaction block is connected to it. This is how cryptocurrencies are created and how new crypto coins are made.

New blocks mining

Bitcoins and New Virtual money concept.Gold bitcoins with Candle stick graph chart and digital background.Golden coin with icon letter B.Mining or blockchain technology

As there is no central authority or central bank, there has to be a way of gathering every transaction carried out with a cryptocurrency to create a new block. Network nodes that carry out this task called dubbed ‘miners’. Every time a slew of transactions is collected into a block, it is added to the blockchain. Whoever adds the block gets rewarded with some of that cryptocurrency.

To avert the devaluing of the currency by miners building lots of blocks, the task is made harder to carry out. The effort to stop the devaluing of the cryptocurrency is achieved by making miners solve complicated mathematical problems called proof of work’.

Hash calculations

To successfully create a block, it must be accompanied by a cryptographic hash that fulfils specific requirements. The only feasible way to arrive at a hash matching the right criteria is to calculate as many as possible and wait until you get a matching hash. When the right hash is found, a new block is formed and the miner that found it is rewarded units of cryptocurrency.

Cryptominig requires high computing power, which often costs thousands of dollars to purchase. With this high price tag to pay, comes crypto jacking — crypto mining via malware and other attack vectors — is a fast-growing threat not just to owners of individual computers and mobile devices, but also to organisations of all types and sizes, putting the security, availability, reliability, and operational costs of their computers and networks at risk. That makes crypto jacking another threat category to add to your IT security team’s Fight-Us list, alongside a laundry list of threats, including viruses and malware, distributed denial of service (DDoS) attacks, phishing, spyware, hackers, rootkits and ransomware, and the list is endless.

Cryptocurrency might be a relatively new form of digital currency, where the uniqueness of each coin and transactions involving it rely on complex encryption, but already it has gained a foothold. Bitcoin, the first cryptocurrency, is barely a decade old yet it holds 47.6 per cent of the cryptocurrency market share, among challengers such as Ethereum, Digital Note, LiteCoin, and Monero.

Crypto mining refers to the computer-based tasks essential to the operation of a cryptocurrency’s ecosystem, in particular, the blockchain distributed digital journaling of transactions.

It is important to note that crypto miners are not directly creating or finding the cybermoney. Essentially their computing power is racing against all other crypto miners, large and small, to complete a minimum required an amount of activity and be the first to submit a qualifying solution to the complex mathematical puzzle. The first to solve the puzzle, which can then be confirmed by others, earn the virtual coin.

The crypto mining programs from the various cryptocurrency offerings can be run on any computer, mobile device, and on most other devices that have Internet connectivity, even a small, embedded computer chip. Individuals with a few spare CPU cycles on their PC or mobile device can quickly, and legitimately, hop on the crypto mining race by downloading one of the crypto mining applications, with the caveat that mining coins with a single cell phone or consumer-class computer is like trying to win a Formula 1 road race wearing one roller skate.

The next step up is buying or build a system that is optimized for crypto mining using either multiple graphics cards (GPUs) or crypto mining-optimised, application-specific integrated circuits (ASICs). Typically, a functional system like this can cost from $4,000 to $20,000.

There are, of course, third-party services as well. One could merely rent cycles from one of the Crypto mining-as-a-Service cloud offerings or join a mining pool, combining your computing resources with other users’ resources. For those with a lot of money, expertise, electric power, and optimised hardware, the most significant option is to build a crypto-farm — mainly a massive data centre with potentially thousands of servers and all the associated challenges and security issues that come with running a data centre. It is useful to note that the mining hardware need not be servers — there reports of crypto mining farms built using smartphones.

With all these challenges and costs, the potentially illegal approach is to steal computer cycles. One evil plan is to get direct access to existing computer power on other people’s machines by offering web services, such as games, streaming content, and other services, which run crypto mining web apps on those devices while the application’s tab is open in the user’s browser. One could argue that this is being done with the user’s knowledge and permission, although that does not always turn out to be the case; sometimes the “We’ll mine while you browse” advisory is less than obvious.

One criminal approach is to invade insufficiently-protected web browsers, servers, and other devices and steal IT resources to secretly crypto mine.

From a pragmatism viewpoint, if you are doing computer crime for the money rather than non-monetary motives such as ego gratification, proof-of-concept, revenge, political activism, or cyberterrorism, crypto hijacking makes a lot of sense.

First, crypto hijacking potentially results in obtaining cryptocurrency without the attacker going through risky intermediary steps such as ransom, blackmail, or offering stolen data for sale. Also, the IT resources being stolen might not yet be on the security team’s radar.

One challenge companies face is that the criminal element for mining often has different goals from those who send out malware or conduct other types of cyber attacks.

Not surprisingly, the types and number of crypto hijacking attacks have been multiplying over the past several years, and the number and sophistication of attacks will only get worse, experts warn.

In itself, cryptocurrency mining is not malicious: the CPU is used to compute complex mathematical operations. “There is no leak of data, no malicious activity like DDoS, or ransom of data involved.

But that is neither an excuse nor a justification for the activity; it is, however, an indicator of strategic savvy of a potential malicious attacker. The goal of crypto hijacking is not unlike a traditional advanced persistent threat in that the attacker wants to make it, so you do not notice any unusual activity. They do not want to “melt your systems down or use too much, but rather keep it at a level where it is effective but not noticeable. You see some viruses that can control the CPU usage…if they can keep it at a place where you don’t notice it, but it’s effective to them, it can go on for years if they continue to lie low with the level of usage. But not all crypto jacking is subtle or without negative impact. Most often you can notice a near 90% of degradation on your computing power.

On mobile devices, crypto hijacking can run the battery down in two to three hours and can potentially raise the temperature of the device higher than the recommended maximum by more than 45 degrees Fahrenheit.

Using more CPU cycles can have negative effects, such as a risk of system overload which can be critical in real-time operations. And for cloud-hosted infrastructures,  the risk of higher bills if CPU cycles are counted in the monthly bill is real.

The net impact to the organisation is hidden costs, which can hit the bottom line and that can hardly be traced back to the original intrusion. An organisation impacted by crypto hijacking will use more electricity, increasing heat requiring higher air conditioning usage, also increasing utility costs.

You should note that crypto hijackers typically use the same methods and toolkits as other viruses, malware and other attacks to gain access to a corporate network infrastructure: phishing and another spam email, web malware, malicious URLs, digital advertising networks, and the like. Some attacks are more direct, such as installing a rogue device above an acoustic ceiling tile, or perhaps putting a rogue server under a data centre’s raised floor; both approaches have been in the news recently after data centre security teams identified insider attacks and tracked down the devices hidden inside the offices of the compromised companies.

In the beginning, crypto miners were delivered like regular malware; They were delivered as a Windows, Linux, or other binary that was executed once delivered to the intended target. Now there is an increase in crypto mining attacks delivered as JavaScript code and running in the browser. To be effective, the victim has to visit a malicious page.

While it is illegal crypto mining itself might not directly interfere with or damage corporate IT systems, data, operations, or utility bills — the amount of impact can be difficult to determine, experts have agreed — that does not reduce the security concerns inherent in crypto mining.

Servers make ideal targets for crypto mining malware; malware wants whatever it infects to maintain persistence, something that will stay on all the time, doesn’t need to get rebooted, because the malware may not start back up. Servers are the most ideal as persistent targets because they don’t get restarted very often.

The next iteration of crypto hijacking may include tools that could allow for remote access to target systems, the capability to do keylogging, the mere fact that there’s a script that can execute and be given the privilege to run means it can also do other things.”

The same malware app that downloaded a crypto mining app — often to be unwittingly installed as a browser app/plug-in — can be used as an infection vector/file-loader for other misuses.

How to fight the crypto hijacking attacks

There is a lot that organisations can do to combat the rising crypto hijacking, much of which, is already part of or easily added to your organisation’s current IT security policies, procedures, and tools.

The basics of information security and security hygiene of your IT systems are first and foremost the key to having a robust information security strategy and plan in place, which can counter this rising phenomenon.

Implementing crypto hijacking-oriented procedures and tools should be part of every data security set of policies and procedures within your organisation.

These include:

  • Secure web browsers including any plug-ins or extensions. Make sure systems are blocking crypto hijacking adware and malware, and check/test browsers (and their plug-ins/extensions) specifically for crypto mining Some browser vendors have tools that can assist in testing for crypto hijacking malware, so please test and use them.
  • Consider application and URL whitelisting and blacklisting. Make sure the block list includes known/suspected crypto hijacking and other cryptocurrency entries.
  • Block crypto hijacking “phoning home,” since the mining results have to be sent back to the cryptocurrency’s command-and-control (C&C) server. Artificial intelligence-based monitoring might help since the messages are typically short and do not look like typical malware activity. A deep-packet inspection might be required since the messages could be encrypted.
  • Monitor servers and power distribution units (PDUs), not just CPU activity. Power use, temperature, fan speed, memory use, and drive space usage could indicate crypto hijacking in progress

The management consoles for most enterprise servers let you configure and monitor alerts. Regarding crypto hijacking, any sudden jumps may mean an attack has ‘succeeded.’ And anything going to 100% is suspect, so should be investigated further.

As with all computer security activity, educate your employees about crypto hijacking. The typical user won’t notice anything until the system becomes slow or sluggish. Your organisation should include in its education and awareness training user awareness about exceedingly long CPU times, what processes are running that are causing these CPU spikes, and high-load CPU processes are pointing to a web browser with a malicious tab.

Educating all users is essential; even those who might not work directly with company computers are likely to have a company-owned or personal mobile device. Crypto hijacking education should not be limited to a separate 15- to 20-minute presentation only. It should be part of an IT security awareness presentation that’s typically half a day, covering all cyber threats — including crypto jacking.

Preparing for the inevitable

Organisations should start planning for potential crypto hijacking incidents now and walking through different threat vectors and scenarios across the organisation. I highly recommend conducting tabletop exercises, and having formalised incident response and incident recovery plans available to be used across the enterprise.

Discovering crypto hijacking must be considered as a security incident, and handled as such. Nobody knows the scope and scale of crypto hijacking. Big companies that have sophisticated systems will try to block and mitigate. Smaller companies will always be at higher risk because they don’t have the resources or people to detect the problem. If a crypto hijacker can keep their illegal crypto mining activity to where it isn’t impacting day-to-day operations, many companies won’t notice it’s occurring at all.

An essential part of finding and stopping any cyber breach is how the company and all of its employees internalise security. Maintain a culture of security. Don’t just be looking for specific threats, but be much broader in your threat hunting. Be like a doctor looking at a patient’s big picture and monitor your systems for unusual activities at the processor level; watch for significant data inflow and outflow, look for rare peaks in network activity.

If you are not already taking full and offsite backups, you should start doing it now.

Protection tips against Crypto Hijacking

  1. Use right system monitoring tools to track and log unusual processes
  2. Do not allow hosts to communicate directly with the internet, and filter connections via a proxy server.
  3. Watch for suspicious processes running on the hosts.
  4. Use intrusion detection systems (IDS) plus a list of known malicious IP addresses/hosts known to be used by crypto miners.
  5. Crypto mining programs need to use a persistence mechanism to restart when the infected host is rebooted. Look for registry keys or scheduled tasks for unusual entries.
  6. Since a crypto mining program must always communicate with servers to receive hashes to compute and send them back, network connections to suspicious sites is a good indicator of the presence of malware on the system, when infected machines do not usually connect to the internet.
  7. Make sure that the IT department is doing the canonical security tasks, such as updates, and access and privilege restrictions are in place, backups are carried out and tested, and periodic security scans of systems and the physical structure are conducted.
  8. Stay up to date. In general, make sure all software, drivers, operating systems, firmware and other code are patched and up to date. This must also include updating anti-virus, anti-malware, URL web-filtering, IP address white/blacklisting, and other security databases.
  9. Remember that system updates might require re-booting, so plan this carefully. For example, Google Chrome browser updates itself but requires the user to restart the browser. Most people keep their browser sessions open not to lose the open tabs. I recommend rebooting every few days at the minimum ideally doing it daily if possible.
  10. Restrict external access. Most servers should not have direct internet access, and for those that do, it should be only to very predictable websites, like OS update and specific trusted sites. Block the rest, or at least block known suspicious ones.
  11. Make sure that any default passwords or other access credentials are changed immediately upon installation of a new device.
  12. Organisations should enforce and encourage user computers running in least-privilege mode rather than in administrator mode.

Posted by Dan K Jatau Sr. MSc, PhD, MBCS, MInstLM

Dan K Jatau is a Nottingham, UK-based Information security and technology infrastructure expert and researcher who likes to write about technology subjects from both a business and technical perspective. His current interests are business-driven security architectures, identity and access, the Cloud, virtualization security and all aspects of security. He currently works in security program development and architecture and develops enterprise security programs for SMEs.