According to the newly published Mid-Year Threat Report from Webroot there has been a "massive shift from ransomware to cryptomining" in the first six months of the year. Webroot reports that cryptojacking accounted for 35 percent of threats.
The report reveals that Webroot sees customers attempting to access sites where cryptojacking scripts are running that account for three percent of the multi-million URL requests each day. The busiest of these cryptocurrency mining domains being Xxgasm.com, which is responsible for 31 percent of this traffic.
CrowdStrike's Observations From the Front Lines of Threat Hunting, also published this week, confirms the interest of threat actors in cryptomining. Researchers "identified multiple intrusions against victims in the legal and insurance industries... adversaries pursued post-exploitation financial gain by deploying cryptocurrency miners and employed techniques that allowed them to perform extensive lateral movement, creating as large a foothold as they could to commandeer resources for mining".
How worried should the enterprise be when it comes to cryptojacking, which some might argue is more of a nuisance than a security risk?
Plenty, suggests Paul Ducklin, senior technologist at Sophos in conversation with SC Media UK. "If some devilish pact meant you were forced to choose between getting cryptojacked or attacked by ransomware, most people would choose the cryptojacking," Ducklin argued. "But that isn't the same as saying that cryptojacking is just a harmless nuisance."
Not least as Alex Hinchliffe, threat intelligence analyst at Unit 42 at Palo Alto Networks, points out because the existence of cryptojacking in the enterprise means that "other payloads, or other actors, may also exist in the same network".
Cryptocurrency mining certainly isn't a victimless crime, and one that "represents a continuation of the trend for cyber criminality as a revenue stream," said SecureData CTO Etienne Greeff. A very profitable one for the threat actors it would seem. Take the Apache Struts compromises which earned attackers more than $100,000 in cryptocurrency. "Another large scale crypto hacking operation inserted malware on vulnerable versions of the popular Jenkins X platform," said Derek Weeks, VP at Sonatype. "That campaign netted an estimated $3.4 million."
While the bad guys are reaping the financial rewards, the cost to the enterprise mounts up. "The electricity cost of Coinhive on just one desktop computer was 1.212kWh over the space of 24 hours," Simon Townsend, CTO (EMEA) at Ivanti, told SC Media UK. According to the Energy Savings Trust, the average cost of electricity in the UK per kWh is 14.37p, so this would cost 17.42p per day, or £5.22 per month. "For an organisation made up of hundreds (if not thousands) of computers," Townsend concluded. "This could quickly become very expensive."
And that's before we take lateral movement attacks by the threat actors to capture the keys to your cloud. The cyber-criminals involved have pivoted from noisy attacks to stealthy ones, exploiting the difficulties enterprises face on the detection side of the security fence. If they succeed in quietly compromising cloud keys the rewards are massive. "That’s where they can use your money to spin up massive infrastructure to crypto-mine," says Ian Trump, head of cyber security at AmTrust International. "And you may not know it until you get the big bill from your cloud provider."
So, what should the enterprise be doing to mitigate the cryptojacking risk? "Security awareness training is essential. Employees should be made aware of the dangers of phishing, a common way that cryptomalware is distributed," Andy Kays, CTO at Redscan suggested, "as well as being encouraged to report slow computers and devices."
Chris Morales, head of security analytics at Vectra, also warned that the enterprise must tighten up software supply chain assurance and balance the risks and rewards of internet access and browser controls. "Organisations need to balance that against constraining legitimate organisational digital activities but must improve their ability to quickly detect and definitively respond to cyber-threats," Morales said. "By looking to AI to automate the detection of and response to cryptojacking, and other attacker behaviours, enterprises can better manage their cyber-risk."