Cryptojacking – in which cryptocurrency miners secretly hijack your servers, desktop devices, mobile phones and even Internet of Things devices to “mine” new digital coins for themselves – isn’t like the fictional heist in the “Office Space” movie designed to steal fractions of a penny at a time. While they might not directly rob their victims of money, cryptojackers steal valuable processing power, drive up bandwidth and energy costs, slow down other important computing tasks and contribute to shorter lifetimes for devices.
The extra electricity costs alone can be considerable – possibly as much as $500 per computer per year, according to one estimate.
And the frequency at which organisations and individuals are being cryptojacked has risen dramatically in the past year or so. According to Webroot’s 2018 mid-year threat report, cryptomining last year dethroned ransomware as the number-one computer security threat. “[W]e found that cryptojacking had a 35 per cent share of all web threats and that is honestly absolutely insane,” senior threat researcher Tyler Moffitt told Wired.
While McAfee Labs found the threat remains less common than ransomware, it still reported massive growth in crypto mining malware.
“After growing around 400,000 in the fourth quarter of 2017, new cryptomining malware samples grew a stunning 629 per cent to more than 2.9 million samples in Q1 2018,” a news release from McAfee stated. “This trend continued in Q2 as total samples grew by 86 per cent with more than 2.5 million new samples. McAfee Labs has even identified what appear to be older malware such as ransomware newly retooled with mining capabilities.”
So how can individuals and businesses keep their devices safe and avoid being targeted for surreptitious cryptocurrency mining, whether via their browsers or installed malware?
Fundamental security precautions – strong passwords, the latest anti-virus protection, up-to-date software and operating systems – are a good start, notes the US Computer Emergency Readiness Team (US-CERT). So are taking basic steps for education and awareness: make sure employees understand and follow common-sense cyber hygiene and know how to watch for signs of cryptojacking such as unusual degradation in processing speeds or out-of-the-ordinary CPU activity.
The US-CERT also recommends disabling unnecessary services, uninstalling unused software, using application whitelists and blacklists, and regularly checking system privilege policies to ensure administrative functions can be carried out only by employees who need to do so.
“When looking for signs of illicit cryptocurrency mining, you should be using multiple data sources at both the network and endpoint layers,” the Cyber Threat Alliance (CTA) advises in a recent report. “Currently, the most common way of detecting and defending against miners is at the network layer, since they must communicate with an external source to receive new hashes and deliver coins to the appropriate wallet.”
The CTA’s anti-cryptojacking checklist also has a number of other recommendations, including:
1. Use machine learning or AI to monitor traffic behaviours and identify/watch for anomalies
2. Search DNS query logs for mining-related text strings (e.g., “bitcoin”, “crypto”, “pool”, “btc”, “coinhive”, etc.)
3. Check running processes for crypto command-line arguments like “xmr,” “cpuminer,” “-zpool,” “-epool,” “cgminer” and so on
4. Monitor firewall and web proxy logs for domains like “coinhive[.]com”
5. Watch for outgoing connections over ports commonly used in mining – 3333, 4444 and 8333, for example – and in pool mining, such as 8080 and 443
6. Monitor for signs of persistence (runkeys, for example)
Successfully mitigating against cryptojacking typically requires a variety of strategies, rather than any single one. For example, a 2018 paper by a team of researchers at Fudan University, Tsinghua University and the University of California-Riverside reported that blacklists like NoCoin and MinerBlock generally detect less than 51 per cent of malicious attacks. To improve browser defences, developers are also looking at other protections such as client-side script throttling and warnings for excessively resource-intensive scripts, note researchers from Concordia University and Bad Packets Report.
“Network defenders have a real opportunity to disrupt threat actors that rely on illicit mining operations to generate revenue,” the CTA said in its report. Because the payoff for any one cryptojacked device is generally low, it noted, some attackers might eventually reach “a point of diminishing returns”.
“Thus, proper improvements in security may actually drive malicious actors to abandon mining altogether,” the report concluded. “Even better, making these basic improvements will also increase your defences against other malicious actors that seek to steal or manipulate data or disrupt business processes.”