Cryptocurrency mining attacks have skyrocketed in the last year. The Cyber Threat Alliance reported a 459 percent increase in cryptominer detections from 2017 through 2018, demonstrating they have rapidly become one of the most in-vogue forms of attack.
With this momentum, it not only becomes critical to understand the potential impact of cryptomining today, but also what it could become if used to destabilize economies, fuel nation-state actor revenue, or to simply redirect processing power into decrypting files.
Although this form of threat is relatively new, it should not be underestimated. Cryptomining shows no sign of stopping given the escalating value and number of cryptocurrencies available, from bitcoin, Monero, Ethereum, Zcash and Litecoin to hundreds of others.
The cryptocurrency boom has encouraged attackers to expand their focus from other methods such as utilizing malware to steal data and impose ransoms or launching a disruptive DDoS attack, to employing tools and techniques to gain access to the computing power of enterprises to generate cryptocurrency payouts.
Cryptomining attacks are becoming more attractive since they require limited effort to generate revenue and are much simpler to execute to achieve a large payday vs. ransomware, which requires an organization to agree to pay threat actors. Buyer/seller marketplaces make it easy to facilitate offers in bitcoin for the processing power.
These markets will automatically switch the seller's hashing power to mine for the buyer with the highest offer, making it simple to complete hashing power financial transactions. To execute a cryptomining attack, all that is required is access to commodity malware, browser-based exploit kits, some computer processing power, and electricity (stolen or legitimate).
This threat is likely to escalate as enterprises embrace blockchain technologies to conduct business operations. Additionally, illicit mining outside of cryptocurrencies may also create additional risks that enterprises will need to mitigate.
Cryptomining attacks not only drain resources and raise electrical bills but can also significantly damage critical IT infrastructure. Equally important, the presence of a cryptomining attack may indicate other flaws in the organization’s security controls, which, if left open, present opportunity for a much larger attack.
Although cryptomining can be done legally with legitimate apps like XMRig, CGminer and MultiMiner or web browser scripts like Coinhive, JSECoin and Crypto-Loot, we will focus on the more illicit examples and cryptojacking-based activities.
The attack starts with cryptojacking, which is the unauthorized use of another person's machine to mine cryptocurrency. Attackers will use a compiled executable program or application that runs on a device (binary-based mining). When anyone on the network opens the file, the malware immediately begins scanning for machines vulnerable to the exploit. Once infected, the machines retrieve and use an app like XMRig binary to mine for bitcoin. Popular payloads include PyRoMine, Adylkuzz and Smorinru and exploit kits like EternalRomance.
They can also use JavaScript code that runs entirely within the browser (browser-based mining) to create access and launch a coinminer, injecting it into a website or online ad. When a victim browses the site, the script launches the coinminer on the person’s endpoint or a network. Organizational resources are then diverted to support the cryptojacker's mining operation.
Interestingly, on Sept. 25, a public search via PublicWWW reflected more than 19,000 websites with CoinHive source code. It is unclear how many of these are publicly known versus in secret. One must note that even reputable companies like Showtime attempted to secretly mine user CPU for cryptocurrency, impacting anyone who visited its website, but stopped given the negative attention it received.
With either method, these attacks are typically inexpensive for the actor to conduct and can easily scale across large enterprises or be applied to multiple victims. Often these attackers will also use group or “pool” mining to aggregate processing power to mine coins and gain a greater payout.
