Cryptojacking, the new Data Center “Attack Du Jour”
I’m fairly certain that, by now, most of you have heard the term “Cryptojacking”. Do you know what it is and how it works? If the answer to that is “No” or “I’m not sure”, It’s time to get to know this sneaky snake before it bites you. It bit electric car maker Tesla earlier this year. A misconfiguration of the auto maker’s Amazon Web Services environment allowed hackers to get in; they stole NO data, they installed NO ransomware, what they did was install software that mines Cryptocurrency.
Cryptojacking consists of an attacker surreptitiously installing cryptocurrency mining software on a target system. The software consumes processor cycles and their requisite electricity to process cryptocurrency transactions, thus earning the attacker a commission. As such, it may not even technically be “Malware” since it takes pains do nothing to arouse suspicions by stealing or damaging data. The fact that Cryptojacking software doesn’t have to establish a command and control link to the attacker, combined with the fact that the victim is only losing processing cycles that may have gone idle anyway, contribute to cryptojacking’s surge in popularity among hackers.
Cryptojacking has, in fact, dethroned ransomware as the world's most-common type of cyber-attack, Sarah Morgan, Webroot's channel account manager, told attendees of the NexGen Cloud conference held recently in Anaheim, California. It has done so because it's both easy to do and profitable, Morgan said. There's a "minimal illegal footprint," and often authorities aren't too concerned because the attackers aren't shutting down offices by encrypting files or stealing valuable data. Cryptojacking, like many other threats, is gaining steam because cybercriminals are "making a ton of money out of it." The latest threat report from Trend Micro shows that, the number of cryptojacking detections was more than ten times higher during the first half of this year than during the same time last year
Make no mistake, criminals are putting Cryptojackers on anything that can run a process, including mobile devices, IoT devices, and browsers. If the attack is against an individual, the performance hit could be so small that the user might not even notice. If servers in a data center are infected, the damage can be substantial. For cloud deployments, there will be higher usage bills. For on-premises installations, cryptojacking may mean higher electric bills. Application users may see degraded performance and make more support calls. The criminals can run up tens of thousands of dollars’ worth of cloud computing and electricity bills before the problem is discovered.
How to prevent cryptojacking
- Incorporate the cryptojacking threat into your security awareness training, focusing on phishing type attempts to load scripts onto users’ computers. Phishing is and will likely continue to be the primary method used to deliver malware of all types.
- Install an ad-blocking or anti-cryptomining extension on web browsers. Since cryptojacking scripts are often delivered through web ads, installing an ad blocker can be an effective means of stopping them. Some ad blockers like Ad Blocker Plus have some capability to detect cryptominig scripts. Browser extensions like No Coin and MinerBlock, which are designed to detect and block cryptomining scripts are worthwhile also
- .Use endpoint protection that is capable of detecting known crypto miners. Many of the endpoint protection/antivirus software vendors have added cryptominer detection to their products. Just be aware that cryptominer authors are constantly changing their techniques to avoid detection at the endpoint, so keeping the product current is paramount.
- Keep your web filtering tools up to date. If you identify a web page that is delivering cryptojacking scripts, make sure your users are blocked from accessing it.
- Maintain browser extensions. Some attackers are using malicious browser extensions or poisoning legitimate extensions to execute crypto mining scripts.
- Use a mobile device management (MDM) solution to better control what’s on users’ devices. Bring-your-own-device (BYOD) policies present a challenge to preventing illicit cryptomining. An MDM solution can help manage apps and extensions on users’ devices. MDM solutions tend to be geared toward larger enterprises and smaller companies often can’t afford them. Mobile devices are not as at risk as desktop computers and servers, however, since they tend to have less processing power and are not as lucrative for the criminals.
None of the above best practices are foolproof. The cyberthreat landscape is continually evolving and YOU, my friend, MUST change with it.