Hiding in Plain Sight: The Curse of the Cryptojackers
For much of 2017, tech news headlines were dominated by the wide-reaching and incredibly costly effects of ransomware. WannaCry and NotPetya infected thousands of computers, holding their data hostage and demanding that the user pay a significant sum for it to be returned to them. These attacks didn’t just affect general users, but businesses and […]
For much of 2017, tech news headlines were dominated by the wide-reaching and incredibly costly effects of ransomware. WannaCry and NotPetya infected thousands of computers, holding their data hostage and demanding that the user pay a significant sum for it to be returned to them. These attacks didn’t just affect general users, but businesses and national infrastructure as well, resulting in damage to reputations and a significant loss of capital due to downtime. But in 2018 we find ourselves faced by a different kind of threat, one that arguably hides in plain sight: cryptojacking. Cryptojacking sees malicious actors run cryptocurrency-mining software in the background of a user’s computer without their permission or knowledge. This can have a serious financial impact on a company, with a combination of costs in electricity and lost productivity being enough to be of a concern to financial teams in charge of budgets, as well as the issue of reputational damage associated with unknowingly aiding criminal activity.
Different Shades of Cryptojacking
These attacks generally come in two forms. Firstly, cryptojacking malware works in a similar way to other malware variants, oftentimes with hackers sneaking cryptocurrency miners into software (ranging from apps on a smartphone to videogames on the world’s largest PC gaming platform) which then runs in a computer’s background processing. Cryptojacking malware can gain access to core systems through a variety of attack vectors, including out-of-date applications and operating systems, like Windows XP. In one instance of a cryptojacking malware attack, hackers created a botnet (army of connected devices) of cryptominers, dubbed ‘Smominru’ by security researchers, which exploited over 520,000 machines – that’s nearly as large as the Mirai botnet that nearly ‘broke the internet’ in 2016. This attack amassed nearly $2.3 million in the Monero cryptocurrency.
The second form of cryptojacking is far sneakier: ‘drive-by’ cryptojacking attacks can be performed on any device using a web browser. Simply put, these attacks happen when web pages infected with a so-called mining script are open on a user’s computer. The website will then, without the user’s knowledge or consent, mine for cryptocurrency using their PC. Attackers can then use the power of the user’s Core Processing Unit (CPU) to mine for currency – though the criminals lose access immediately when the user leaves the page. A recent, high-profile ‘drive-by’ attack saw 5,000 websites affected by the cryptojacking malware. The attack also infiltrated websites belonging to the UK Information Commissioner and several NHS and local council services.
The fact that cryptojacking lucratively operates “under the radar”, as well as crypto’s rise in popularity, has meant that the number of reported cases of cryptojacking rose by more than 600% in Q1, 2018. Cryptojacking is very hard to detect, particularly if criminals use currencies like Monero which is famous for its level of privacy. Like other cryptocurrencies, Monero uses a public ledger but the difference is that Monero’s is obfuscated to the point where no one can tell its source, amount or destination. For these reasons, it is a popular choice for cybercriminals, including cryptojackers. ‘Drive-by’ attacks are easier to execute than other cyberattacks and, from a cybercriminal’s perspective, can have a higher ROI as they only have to hack one website in order to target all visiting devices. As of the 9th July, 2018, over 30,000 websites have been infected with malicious crypto mining scripts, including sites belonging to Tesla and Aviva. Finally, crypto-mining criminals aren’t relying on users or organisations choosing to transfer money in order to regain access to their data or systems as in the case of ransomware attacks; instead, they are able to mine for as long as the malicious script is running. Experts are even arguing that cryptojacking could soon overtake the use of ransomware because it is simple, more straightforward and less risky.
Running out of Energy: The Effects of Crypto-Mining
The effects of cryptojacking on a PC should be fairly noticeable. Mining for cryptocurrency runs complicated equations which are time and processor intensive. Tell-tale signs are if a device starts acting uncharacteristically sluggishly, or if its fans seem overactive. If the affected device is a laptop the battery will drain noticeably quicker. These symptoms can go undetected, however, particularly if devices are still operational and users don’t think to alert the IT help desk.
Some may argue that cryptojacking is thus just a minor nuisance and a largely victimless crime, but in fact the damage comes from just how energy intensive it is. While the immediate effects may not be as crippling as a large-scale ransomware attack, costs build up because cryptojacking can slow down systems and destroy technology, which are costly on their own but can also lead to downtime. Drains on electricity can also cause incredibly high bills, and are bad for the environment. The electric cost of cryptojacking (Coinhive in this case) on just one desktop computer was 1.212kWh of electricity over the space of 24 hours. According to the Energy Savings Trust, the average cost of electricity in the UK per kWh is 14.37p, so this would cost 17.42p per day, or £5.22 per month. For an organisation made up of hundreds (if not thousands) of computers, this could quickly become very expensive. In some cases, cryptojacking has also been known to completely destroy IT equipment due to the heavy and unrelenting strain that the hardware is put under by mining software. Organisations need to tackle cryptojacking head on in order to protect IT hardware and software, save on extra energy costs and ultimately retain business that may be lost due to downtime.
A Layered Defence against Cryptojackers
To prevent these attacks, organisations need to make sure that everything on their network is monitored and checked regularly, from PCs to websites. And when using third party tools, they should put protections into place and not link directly to source codes (the behind-the-scenes workings of what makes any computer program function) which aren’t their own. Businesses should also invest in resources for IT and security teams that give them a holistic view of what is going on in their environments, because they can’t protect or defend against threats they don’t know about. Finally, a layered approach to cybersecurity reduces attack surfaces, detects attacks that do get through, and helps cybersecurity professionals to take rapid action to contain malicious activity and software vulnerabilities. The financial outlay on a layered cybersecurity solution might seem costly, but finance teams in charge of investing in technology should see this as a critical insurance policy against cyberattacks that could completely cripple a business. Investment in cybersecurity is nothing compared to what cryptojacking could cost an unprotected organisation.
Users, including financial teams who are often targets of cyberattacks, can also do their bit to stop the spread of cryptojacking. It’s important not to download files from suspicious websites, or open attachments from email addresses you don’t recognise. Furthermore, users can protect themselves online through the use of browser plug-ins that block attempts from websites trying to hijack their PCs.
However necessary it may be to introduce precautions, what ultimately might end up being the cure for cryptojacking is cryptocurrency itself. At time of writing, Bitcoin has just experienced a crash of a little under $1,000 in just shy of 24 hours. This volatility – particularly if crypto continues its downward trend since Bitcoin peaked at $19,783.06 in December 2017 (it is currently at $6,431.70 less than 10 months later) – might put criminals off. If cryptojacking can no longer prove to be profitable because the investment in the tools required is not matched by the reward, then it may well be the markets that solve the cryptojacking issue.
While market volatility is out of the control of individual businesses, what is within their means is the ability to shore up their infrastructure. Hackers are at the cutting edge in their attempts to exploit any sort of flaw that exists in a system’s makeup and cryptojacking is currently the shiniest plaything in their toy box. The positive outlook however is that cryptojacking can be protected against with the right tools and mind-set. Out-of-date applications and operating systems are a favourite attack vector for bad guys, but they can easily be fixed. It is the responsibility of IT and Security teams, along with key decision makers who are in charge of purchasing, to stop them. By investing in cybersecurity technology, as well as training users, organisations defend against cryptominers trying to gain access to precious resources and can help to make cryptojacking a less attractive prospect for hackers.