CRYPTOJACKING – What is it? How do you identify it? How can you prevent it from impacting your organization?

Cryptojacking is mining “stealing” cryptocurrency through the unauthorized use of someone’s computer. Hackers use two methods to accomplish this task. Either they get the victim to open a malicious link in an email, thereby loading the cryptomining code or infecting a website or online ad with JavaScript code that auto-executes once loaded in the victim’s browser or by infecting a website with JavaScript that auto executes on the victim’s browser.

It is unknown how much cryptocurrency is mined through cryptojacking, but there’s no question that the practice is rampant. Adguard in a recent study reported a 31 percent growth rate and found 33,000 websites running cryptomining scripts with an estimated billion combined monthly visitors who are thereby exposed to Cryptojacking.

Why is cryptojacking becoming more popular? More money is stolen with minimal risk. “Hackers see cryptojacking as a cheaper, more profitable alternative to ransomware,” says Alex Vaystikh, CTO and co-founder of SecBI. It is simply an issue of math. Ransomware hacking might yield three payments for every 100 computers infected. Cryptojacking delivers all 100 of infected machines to support hacker’s mining of cryptocurrency.

Chances of being caught and identified are also much lower than with ransomware. The mining code runs hidden and can go undetected. When discovered, it’s almost impossible to trace to the source. Further, the victims have no incentive to do anything as nothing is stolen or encrypted.

How To Prevent Cryptojacking

1. Add cryptojacking into your security awareness training.
2. Install ad-blocking and anti-cryptomining extensions in web browsers.
3. Use Advanced Endpoint Protection, such as SentinelOne, that is capable of detecting known cryptominers.
4. Use current, updated web filtering tools.
5. Maintain browser extensions.
6. Use a mobile device management (MDM) solution to better control what’s on users’ devices.

Detecting Cryptojacking

Best practices do not always thwart cryptojacking attacks, and it is a difficult task to identify infections. This is especially true when ony a subset of systems are  compromised.

Ensure you use an Advanced Endpoint Protection product! Legacy endpoint protection tools do not stop cryptojacking. “Cryptomining code is not visible to signature-based detection tools,” says Laliberte. “Desktop antivirus tools won’t see them.” Here’s what will work:

Train help desk personnel to look for signs of cryptomining. “Sometimes the first indication of cryptomining is an increase in help desk submissions concerning poor computer performance,” says SecBI’s Vaystikh. That should raise a red flag to investigate further.

More symptoms for which help desks should monitor are: overheating systems, CPU and cooling fan failures. Thin mobile devices like tablets and smartphones are particularly susceptible to these issues.

Cryptojacking scripts do not damage computers or victims’ data; yet, they steal CPU processing cycles. Organizations with many cryptojacked systems can incur real costs regarding help desk time spent investigating performance problems and an unusual volume of component replacements to solve the problem.  

Real-World Cryptojacking Examples

Cryptojackers are clever and they’ve devised schemes to use company computers to mine cryptocurrency. Most schemes are not new; the delivery methods are often new versions of those used for other types of malware including ransomware or adware. “You are starting to see a lot of the traditional things mal-authors have done in the past,” says Travis Farral, director of security strategy at Anomaly. “Instead of delivering ransomware or a Trojan, they are retooling that to deliver crypto-mining modules or components.” Cryptojacking is not yet widely recognized for the threat it is. Some published articles point out the following as methods / tools that Crytojackers are using.

1. BadShell hides infections in Windows processes.
2. Rogue employee commandeers company systems
3. Serving cryptominers through GitHub
4. Exploiting a rTorrent vulnerability
5. Facexworm: Malicious Chrome extension
6. WinstarNssmMiner: Scorched earth policy

How To Respond To A Cryptojacking Attack

1. Kill browser tab from which attack originated.
2. Record the source website URL and update the company’s web filters.
3. Deploy anti-cryptomining tools.
4. Update and purge infected browser extensions.
5. Learn and adapt utilizing experience-driven improvement and understanding concerning how attackers compromise your systems.
6. Enhance user, helpdesk and IT training to better identify cryptojacking attempts and respond accordingly.

Cryptojacking Attacks Are A Serious Threat To Company Assets

Cryptojacking, in its infancy, is one of a constant stream of new methods of Cyber based theft. Instead of delivering ransomware or a Trojan, attackers are retooling to deliver cryptomining modules or components and steal corporate Cryptocurrency. Cryptojacking is not yet widely recognized for the threat it is. CFOs and CISO’s must develop protection strategies now.