What You Need to Know About Cryptojacking and How to Protect Against It
Cryptocurrency mining has increased both as a topic of interest and activity as cryptocurrency usage has grown exponentially in the last few years. Nowadays, it is impossible to see technology news feed without any articles on cryptocurrency and blockchain. So, let’s talk about the history of cryptocurrency, how cryptomining works, how companies defend against cryptomining attacks and finally, how Infoblox can protect organizations from the financial impact of the cryptomining attack.
Bitcoin is the first cryptocurrency that was introduced in 2009 and provides a decentralized method for engaging in digital transactions. Today, there are over 900 such currencies including bitcoin, Bitcoin Cash, Ethereum, DigitalNote, LiteCoin, and PotCoin. In simple words, Cryptocurrencies allow users to make secure payments, without having to go through banks or use cash.
What is Cryptojacking?:
We heard about carjacking and hijacking. In both these types of offenses, a user’s precious resource is forcibly taken away by bad actors for nefarious purposes. We now have Cryptojacking. It is a way for cybercriminals take over the computing devices and smartphones to take advantage of the CPU power to mine cryptocurrency.
Cybercriminals infect victims phones and smartphones with malware, which uses the CPU power of the device to mine cryptocurrency, with the profits being directed back into the wallet of the attacker. The attack is not easy to detect because aside from the heavy use of the PC fan and driving up the energy cost of using the computer, cryptojacking doesn't make itself obvious and so, an average victim won’t worry even if the computer is noisier and consumes more power than usual. According to Mike McLellan, a senior security researcher at the SecureWorks Counter Threat Unit, cryptocurrency mining represents a good return on investment and a low-risk way of doing it because t leaves the user unaware their machine is infected with malware, meaning rather than providing payment in one quick hit like ransomware, the operation can be sustained for a long period of time. Plus, it doesn’t matter to attacker where the victim is located in the world, it provides a huge target market for the attacker. Also, the code behind cryptojacking malware is relatively simple and it can be delivered via phishing campaigns, malvertising, compromised websites, or even software downloads. Once on a computer system, the game is all about not getting caught. Enterprises have various security tools to protect stealing of enterprise data but cryptomining is stealthier and hard to detect it but it can have a detrimental financial impact by increasing electric bill for data center/cloud infrastructure if the cryptomining software infects cloud infrastructure. It can also hurt productivity and performance by slowing down servers and other computers.
How cryptojacking works:
Cryptocurrency runs on a blockchain that supports almost every cryptocurrency. The blockchain is a shared ledger or document duplicated several times across a network of computers. This process by which transactions are verified and added to the public ledger, known as the blockchain, and new bitcoin are released is called bitcoin mining. The updated document is distributed and made available to all holders of the cryptocurrency. Every single transaction made and the ownership of every single cryptocurrency in circulation is recorded in the blockchain. Each time a cryptocurrency transaction is made, a cryptocurrency miner is responsible for ensuring the authenticity of information and updating the blockchain with the transaction. Since there is no intermediary like bank involved in the transaction, transactions are difficult to tax. The identity of the buyer and seller are not revealed. However, each and every transaction is made public to all the people in the blockchain network. Though cryptomining is very popular and possible for anyone, it isn’t feasible for small-scale businesses unless you have access to cheap electricity because those with underpowered setups will find more money is spent on electricity than the revenues generated through mining.
Defending against Cryptomining Attack
Since cryptomining can attack desktop, server, mobile, and IoT devices and the attackers don’t try to steal the data, detecting cryptomining attack can be tricky. To mine cryptocurrency, it must communicate with the attacker and so, the easiest way to detect a cryptomining attack is by monitoring the network traffic for unusual activity. Unfortunately, cryptomining messages are very short and malware writers use a variety of techniques to hide them and so, it is really difficult to distinguish cryptomining traffic from legitimate traffic. Normal internet traffic has a short request and a long response and the cryptomining traffic has shorter incoming traffic and longer outgoing traffic. This difference can be used to differentiate between legitimate and cryptomining traffic. Another possible way to detect the attack anomaly detection at the network level that can capture subtle deviations on any of your computers. We need to look at multiple behaviors before labeling/red flagging a computer or a connection that might be under cryptomining attack.
Here are three ways users can protect themselves from becoming a victim of the attack:
- Install No Coin browser extension: No Coin is the browser extension that provides a safe and reliable way to block coin miners from using CPU and power without the consent.
- Keep an eye on CPU spikes: A sudden spike in CPU usage or longer time to load a webpage might indicate an occurrence of a cryptomining attack.
- Use antivirus protection: Antivirus protection can detect and prevent the malware from infecting the system.
Use Infoblox to Protect Against Cryptomining Attack
The mining typically involves running some sort of mining software (code), acquiring a workload (the block of data), performing the work, and communicating the results. Not all cryptocurrency activity is bad and not all mining is malicious. There are a number of ways to get the mining code including:
- legitimate software downloads by an authorized user
- Malware installed by a threat actor
- In-browser miners which could be accepted by an authored user or run surreptitiously
- Not all cryptocurrency or mining activities require DNS, but for those that do, DNS can help to identify/detect/mitigate
- Download of the software from known repositories
- Communication with mining pools
- Malware downloads
- Malware C2
Infoblox ActiveTrust detects cryptojacking by detecting command and control (C2) communication with curated IoCs. We will continue to train our machine learning models from DNS data we have or will have to find statistical patterns that may exist with cryptojacking activities.
The Cryptocurrency detector does not determine whether the intent of each detected domain is malicious, with the exception of the GenericThreat and Cryptojacking properties - which should be blocked to prevent a network compromise. The decision whether to block indicators from the other properties should depend on each organization’s internal policy regarding cryptomining.