If you’re concerned about cybersecurity, and you’re not up to speed on illicit crypto mining, aka ‘cryptojacking,’ then it’s time to get with the program. Cryptojacking is now more prevalent than ransomware, 2017’s most popular cyberattack method.
As I explained in my March 2018 article Top Cyberthreat Of 2018: Illicit Cryptomining, cryptojacking is where an attacker surreptitiously installs cryptocurrency mining software on a target system. The software – which may not even technically be malware – consumes processor cycles and their requisite electricity to process cryptocurrency transactions, thus earning the attacker a commission, usually in the anonymous cryptocurrency Monero.
The fact that cryptojacking software doesn’t have to establish a command and control link to the attacker, combined with the fact that the victim is only losing processing cycles that may have gone idle anyway, contribute to cryptojacking’s surge in popularity among hackers. “If 2017 was the year of ransomware, 2018 looks likely to go down as the year of cryptominers,” explains the Vulnerability and Threat Trends 2018 Mid-Year Update by Skybox Security. “Cryptomining malware is often able to run undetected, making money for attackers all the while.”
Cat-and-Mouse Game in the Browser
Early cryptojacking attempts largely targeted PCs and mobile devices running browsers via the cryptomining software from Coinhive. Coinhive developed this software ostensibly for on-the-level web companies to better monetize their sites, but criminals soon moved in, coopting Coinhive for illicit purposes.
A cat-and-mouse game soon followed as antivirus vendors listed Coinhive as malware, only to drive innovation in cryptojacking software that would defeat the anti-malware tools.
Anti-malware vendor Malwarebytes uncovered one such innovation. “We have come across a technique that allows dubious website owners or attackers that have compromised sites to keep mining for Monero even after the browser window is closed,” says Jérôme Segura, Head of Investigations, Malware Intelligence, Malwarebytes Labs. “This type of pop-under is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides.”
Such ‘drive-by mining,’ in turn, elicits new prevention techniques. “Unscrupulous website owners and miscreants alike will no doubt continue to seek ways to deliver drive-by mining, and users will try to fight back by downloading more adblockers, extensions, and other tools to protect themselves,” Segura continues. “If malvertising wasn’t bad enough as is, now it has a new weapon that works on all platforms and browsers.”
The Real Pot of Gold
As this back-and-forth plays itself out, cryptojackers are increasingly eyeing a more valuable prize: servers. Running in corporate and cloud data centers, servers are both vast in number and far more powerful than PCs and mobile devices, presenting forming a fertile field for planting cryptojacking software.
Given the state of corporate cybersecurity, however, targeting servers require a more sophisticated attack vector than ‘pop-under’ browser windows. The weak spot: Windows remote administration tools like Windows Management Instrumentation (WMI).
Cybersecurity vendor Kaspersky Lab recently uncovered WMI-based cryptojacking malware. “The malware, which we dubbed PowerGhost, is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers,” explain Vladas Bulavas and Anatoly Kazantsev, malware analysts at Kaspersky Lab. “This type of hidden consolidation is typical of miners: the more machines that get infected and the longer they remain that way, the greater the attacker’s profits.”
As a result of PowerGhost and other cyberthreats targeting corporate servers, the enterprise threat landscape has shifted its emphasis from ransomware to cryptojacking. “Corporate users bore the brunt of the attack,” Bulavas and Kazantsev continue. “it’s easier for PowerGhost to spread within a company’s local area network.”
The Skybox Security report confirms this trend. “Notably, cryptominers had the highest increase in the number of new malware attacks, from seven percent of reported attacks in the second half of 2017 to 32 percent in the first half of 2018,” the report says. “At the same time, ransomware — the darling of cybercriminals in years past — saw a decline in attacks, essentially swapping market share with cryptominers. While ransomware and the other malware families are still a concern, malicious cryptomining has simply proved too attractive in terms of return on investment.”
Cryptojacking can no longer operate under the covers. Every CISO must understand the significance of this threat, and rank cryptojacking among the top cyberthreats facing the enterprise. Complacency is no excuse – especially as cryptojacking spreads to the point that the entire corporate IT environment collapses under its weight. The time to take action is now.