By Immanuel Chavoya, Emerging Threat Detection Expert
The popularity of cryptocurrencies has increased, not only in their overall market value but also in the number of people looking to digital currencies to generate totally independent revenue. While some do this through investing and selling cryptocurrency directly, others are turning to transaction processing (cryptomining) to turn a profit.
While mining for crypto is a legitimate form of income, bad actors have begun to use a variety of tactics concerning cryptomining to gain direct access to other individuals and organisations’ devices to access and use their servers and networks. Cryptojacking is the malware that infects a device to syphon off the server’s power to mine for crypto, once inside the server the hacker can then use this access data pertaining to the network.
This global phenomenon known as cryptojacking is not only illegally accessing networks, but using crypto mining as an alternative method of infecting devices with malware and syphon off data.
The emerging global threat, while in its infancy, is posing an increasingly significant risk to key industries such as retail, healthcare and financial services. Immediate awareness and action are required to ensure that organisations and sensitive information remain secure and protected.
Breaking down cryptojacking
Cryptomining is a legitimate method for obtaining cryptocurrency by validating transactions in a blockchain network. However, making a profit from this requires the miner to validate a substantial number of transactions, with each one taking around 10 minutes to process a single block of currency. Because of this, bad actors are resorting to illegitimate means to speed up the mining process by hacking into other people’s devices to syphon off the server and power supply. This is known as cryptojacking.
When a person’s computer is cryptojacked, the bad actor fraudulently accesses and drains the device of its power supply, effectively turning it into a zombie that mines for crypto. The most worrying part of this is that the infected device will display minimal signs that it has been compromised, resulting in many victims being unaware that they have lost control of their device. Often the bad actor will use traditional types of malware such as an infected pop-up box or through a phishing link.
The specific nature of malware used by the hackers makes it difficult for security measures to recognise that the device is under threat, meaning that security practitioners must implement stronger provisions. This includes regularly updating Central Processing Units (CPU) logs, to ensure they’re secured on all levels. This is usually conducted by the site reliability engineers who would notice an alteration in the system and increase security in response to this.
On the rise
The most worrying aspect of cryptojacking is the sheer volume at which the attacks are accelerating. Over the past two years, hackers have been increasing the scale of their attacks, not only in terms of the number of victims but also in the size of the networks.
This type of attack is no longer reserved for individual owners of devices, now it has become an ever-accelerating phenomenon targeting large server networks.
Workspaces such as schools, hospitals and businesses make for perfect mining farms, as their reliance on connected servers allows hackers to infiltrate a single device with a vast number of networks or servers attached. When a cryptojacker enters an institution’s network, the malware spreads across, syphoning power off the server, searching through all its data, and consistently evolving to become smarter. For instance, when, one looks at botnets like Sysrv-k that search for SSH keys (a network protocol enabling users a secure way to access the device in an unsecured network), so too when cryptojacking threats evolve, they can look for methods to spread laterally and find more compute endpoints to deploy and mine crypto. Using this method, when a bad actor assumes control of an entire network, they then have the capacity to remove or leak sensitive information, or can shut down the entire network.
The vast increase in large-scale attacks is evidenced by a leading threat report that finds that cryptojacking has soared by 30% globally since June 2021. Some experts have attributed this sharp incline to the clampdown on ransomware in recent years, making it more difficult for hackers to infiltrate the system, resulting in a change in tactics. This can be seen in the growth of new malware variants such as Shikitega. Experts also note that in comparison to ransomware, now a widely recognised threat that many businesses defend against and monitor, cryptojacking is lower-risk and requires no interaction with its victim, making it a more attractive business strategy.
Cryptojacking attacks targetting the industry
As cryptojacking attacks have accelerated globally, they have also overwhelmingly been targeting certain industries. The sectors that have disproportionately been hit by cryptojacking attacks are retail and finance, as a recent report finds that in the past year attacks skyrocketed by 63% and 269% respectively.
When one considers the sheer number of servers and processors involved in businesses such as these, all belonging to the same network, cryptojacking would have a significant impact on the processing power of the entire system. Ultimately, leading to a productivity slowdown as the hacker assumes greater control over the network. Furthermore, major cryptojacking attacks on industries pose a significant security risk to businesses, as the hacker has the capacity to infiltrate the network undetected, accessing all the network and its data, and then syphoning off power and data at will.
Lines of defences
There are, however, ways in which companies can better defend themselves from these cyber criminals. Through the implementation of secure firewalls, businesses can defend their networks and devices against bad actors attempting to launch cryptojacking attacks. Firewalls provide a ‘stop at the gate’ perimeter defence, that can detect any potential malware attacks by scanning for any existing malware variants, their components and anything related to them.
Implementing a multi-layered approach to endpoint protection to ensure that all (data) entering the network is thoroughly sifted, to stop any malware from entering the device. This second layer of defence can also be implemented to run behavioural analysis within the network to ensure that no malware managed to successfully squeeze into the system. If any malware is identified, it can be quarantined and shut down, so that the bad actor cannot spread across the network. This second layer uses advanced sandboxing techniques and real-time deep memory inspection technology (RTDMI), running deep diagnostics to identify and remove any malware. Implementing both security layers will allow organisations to detect and mitigate any harmful cryptojacking attempts, to ensure the network remains secure and fast.
As the popularity of cryptocurrency has soared in the past few years, it was only a matter of time before the bad actors jumped on the bandwagon, searching for illegitimate ways to turn a profit. However, the sheer volume of attacks and their ramifications have accelerated beyond expectations and now businesses must wake up to the reality of these attacks and act accordingly to stay protected. Fortunately, there are clear steps businesses can take to stay ahead of the game.