Rampant cryptojacking harming organisations' cyber-security, experts reveal

News by Jay Jay

While individuals and businesses across the world have embraced cryptocurrencies due to the various benefits they come with, the concept has also attracted the attention of cyber-criminals.

While individuals and businesses across the world have embraced cryptocurrencies due to the various benefits they come with, the concept has also attracted the attention of cyber-criminals who have, over the years, created new cyber-tools and techniques either to mine cryptocurrency or to carry out cryptojacking on a large scale.

A new report from security firm CyberInt has described in detail how successful cyber-criminals have been in mining cryptocurrencies illegally while carrying out cryptojacking attacks and abusing mining scripts on a fairly large scale in recent times.

There's a method in all that madness, for cryptocurrencies help cyber-criminals in demanding payments anonymously while carrying out ransomware attacks, in stealing digital wallets and deploying ‘cryptojacking' malware. The frequency of cryptojacking has also been aided by the arrival of cryptocurrencies such as Monero that can easily be mined on non-specialist hardware such as typical desktop computers and also offer as much privacy as Bitcoin even though they trade for significantly less than the latter.

Cyber-criminals have also been deploying browser-based mining scripts on a regular basis to generate revenue even though they do not mine cryptocurrency as efficiently as optimised programs. The use of these scripts allows fraudsters to evolve their cryptojacking campaigns from delivering malware payloads via traditional methods to mining for cryptocurrency by injecting code into a compromised website.

While legitimate browser-mining scrips offer a win-win solution both for website owners and visitors such as by offering the monetisation of content in exchange of providing an advertisement-free experience to visitors, malicious in-browser mining scripts help fraudsters carry out cryptocurrency mining covertly while taking steps to obscure their activity.  
Typical examples of in-browser miner abuse include injecting code into compromised websites to call mining scripts, creating malicious browser extensions that can mine cryptocurrency when the browser is running, and creating typo-squatting domains that direct visitors to a mining script. 

At the same time, fraudsters are also carrying out malvertising to inject mining script into compromised advertisements that are delivered to many legitimate websites, and also carrying out man-in-the-middle (MitM) attacks by intercepting network traffic and injecting miner script into websites visited by targeted victims.

Speaking to SC Magazine UK, Matt Walmsley, director of EMEA at Vectra, said that in recent months, he and his co-researchers have discovered "a startling trend in Bitcoin mining and abnormal web activity in higher education" as well as a surge in the popularity of cryptocurrency mining.

"There is a pattern between the value of cryptocurrencies and the amount of cryptojacking that occurs. For example, we detected that as the value of cryptocurrencies like Bitcoin, Ethereum and Monero increased, there was a corresponding uptick in the number of computers on university campuses performing mining or being cryptojacked by miners to process cryptocurrency hashes.

"It is clear that hijacking users' devices to mine cryptocurrency is far from being a victimless crime – although it is fast proving to be an incredibly lucrative one. In recent months we have seen companies as diverse as Tesla, YouTube, and a host of public sector organisations (including UK councils and the NHS) fall victim to cryptocurrency mining malware," he said.

Walmsley added that the fact that hackers can access corporate networks and hijack devices so easily and control them for so long without detection is a sign that an enterprise is not in control of its own security, and that presents a far greater risk. "Using AI to automate the detection and respond to cryptojacking allows pan-enterprise capability to get ahead of attacks," he said.

In their report, researchers at CyberInt said that in order to prevent the covert use of their systems by fraudsters to mine cryptocurrency, enterprises must use browser extensions such as ad blockers to block common mining scripts and domains. A number of ‘anti-mining' browser extensions are also available which specialise in blocking mining scripts.

While recommending the use of client-side security solutions such as antivirus and antimalware tools to block mining scripts, the researchers also said that enterprises should assess if their solutions are filtering and blocking suspicious and malicious web content including mining scripts by default. This will help them blacklist nefarious injections while whitelisting legitimate mining scripts at the same time.

Paul Edon, technical director at Tripwire, told SC Magazine UK that the best way for an enterprise to defend against cryptojacking is to prevent the attacker's initial intrusion from being successful as the implementation of foundational security controls like secure configuration management and vulnerability management is the best way to mitigate risk.
"Every attack requires that the attacker make some kind of change to the system, so managing the integrity of assets lays a solid foundation for detecting all types of attacks, including crytpojacking.

"All business' should be blocking websites that host JavaScript miners, they need to be blocked from the gateway through to the endpoints, especially those endpoints that are considered as roaming devices. It is also very important that business' not only prevent cryptomining apps from running on the network, they also educate users that cryptomining is not an acceptable use of corporate resources," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews