Cryptocurrency miners are seemingly working away under every rock on the internet and there is good reason. It's an almost guaranteed payday with a negligible chance of being discovered.
The proliferation of miners is reflected in Check Point's monthly malware report. For February three of the top four malware types most spotted by the security firm were miners, Coinhive, Cryptoloot and JSEcoin and even the fourth malware, RigEK, is also involved as it is being used to distribute miners.
The impetus behind the cryptocurrency gold rush is, of course, the money. Check Point found that every 10 minutes bitcoin commits a new block of transactions to its ledger and awards 12.5 bitcoins to its miner, this equates to – depending on the currency's value, to about £90,000) every 10 minutes or £4.9 billion annually. Monero creates much less of its currency each year, but it is still a substantial £300 million).
With these amounts in play it has caused the number of attacks to increase exponentially with just over eight million per week taking place per week by mid-February 2018. This is up from almost none in August 2017. The trigger for the increase was when bitcoin's valuation surpassed US$ 10,000 (£7,161) per bitcoin in late November 2017.
And in the short-term there is no end in sight.
“It's always challenging to try and guess the next steps of hackers. What I can say is that for now we continue to see a steady rise in the volume of these attacks, and new crypto-mining attack campaigns every few days. Our gateways are reporting more and more companies being targeted – 200 additional companies in the past couple of weeks. If I were to guess, then I'd say this growth trend is going to continue in the near future,” Gad Naveh, Check Point's advanced threat prevention evangelist told SC Media.
And this activity does not take into account the legal mining that is being conducted by companies setting up massive, and power intensive, server farms dedicated to the trade. Because this is expensive, and criminals are cheap, they are opting to engage in a variety of attacks that not only steal digital funds, but can directly harm businesses and individuals, Check Point reported.
These include cryptojacking attacks where a computer is hit with malware that starts running a mining operation in the background. Some malicious actors intercept cryptocurrency that is being produced and shift it to their wallets instead of the manufacturer. Wallet theft takes place when a wallet's private key or credentials are stolen and the criminal simply empties the account. Then there is the Crypto Shuffler. After being installed it can tell if a cryptocurrency user has copied their wallet address onto the device's clipboard. When this happens the bad guy simply swaps out the legitimate address with their own redirecting the funds.
Businesses need to be aware of this threat as they are now the primary targets of miners and thieves with 55 percent of all attacks in December 2017 striking businesses. Not only can these firms suffer a financial loss if their digital currency is stolen, but even basic cryptojacking operations will bog down a company's network as all its processing power is shunted over to the mining operation causing a loss of productivity. And then as an added insult the company has to pay for the extra power being used.
There is also the possibility the mining malware can get into a company's web servers and then be spreads to its customers damaging the organisation's reputation.
Naveh recommends companies, and individuals, have a solid overall defense in place which covers all possible attack vectors across all of their IT – LAN, data-centre, cloud, endpoints, and mobile. He does believe the cloud deserves special attention.
“The cloud's auto-scaling capability fits perfectly with the miner's endless thirst for CPU power. As a mining malware consumes all available CPU power, the cloud platform will automatically spawn more instances, allowing the infection to gain huge scalability at the expense of its victim. We've seen a recent instance where a company's AWS bill went up from less than US$ 10K (£7.1K) to over US$ 100K (£71.6K) per month due to mining malware that had infected their cloud,” he said.
Naveh also noted a few actions that could eventually lead to at least a slowdown in cryptocurrency mining. The item that could have the quickest impact would be a drastic reduction in the value of the various currencies or even making digital currencies illegal. Once mining is no longer lucrative criminals could go back to ransomware and other money generating crimes.
Legal mining could also drive out criminals.
“Major increase in legitimate mining datacenters, which may take all the big money and make return on cryptojacking returns too miniscule to be worth the efforts and risks of the hacking community,” he said, adding regulations forcing miners to be identified along with a crackdown by law enforcement could all eventually lead to the end of illegal mining.
But with that said Naveh concluded, “As of now, all of the above seem to me to be unlikely to happen in the near future. So my guess would be that these attacks will likely continue for some time.”