Cryptojacking

Introduction:

Mining for cryptocurrencies is an ever more complex task that consumes more and more energy resources and computing power. Cryptocurrency mining, or cryptomining, is simply the way in which cryptocurrency is earned. Individuals mine cryptocurrency by using cryptomining software to solve complex mathematical problems involved in validating transactions. Each solved equation verifies a transaction and earns a reward paid out in the cryptocurrency. Solving cryptographic calculations to mine cryptocurrency requires a massive amount of processing power.This is exactly why hackers have found a way to make it easier: they get onto other people’s computers and put them to work trawling the web, consuming these computers’ resources to mine cryptocurrencies.

Cryptojacking occurs when malicious cyber actors exploit vulnerabilities—in webpages, software, and operating systems—to illicitly install cryptomining software on victim devices and systems. With the cryptomining software installed, the malicious cyber actors effectively hijack the processing power of the victim devices and systems to earn cryptocurrency. Additionally, malicious cyber actors may infect a website with cryptomining JavaScript code, which leverages a visitor’s processing power via their browser to mine cryptocurrency.

How do you know if your computer is used for Cryptojacking?

Cryptojacking may result in the following consequences to victim devices, systems, and networks:

  • Degraded system and network performance because bandwidth and central processing unit (CPU) resources are monopolized by cryptomining activity;
  • Increased power consumption, system crashes, and potential physical damage from component failure due to the extreme temperatures caused by cryptomining;
  • Disruption of regular operations; and
  • Financial loss due to system downtime caused by component failure and the cost of restoring systems and files to full operation as well as the cost of the increased power consumption.

Cryptojacking involves maliciously installed programs that are persistent or non-persistent. Non-persistent cryptojacking usually occurs only while a user is visiting a particular webpage or has an internet browser open. Persistent cryptojacking continues to occur even after a user has stopped visiting the source that originally caused their system to perform mining activity.

How can cryptojacking make its way onto your computer?

There are several possible ways that cryptojacking can end up flooding your devices, but the most common are the following:

1.Malware. A cybercriminal can install malware on your computer that is capable of taking over the device, making CPU usage soar, and starting to mine cryptocurrencies, without you ever finding out.

2.Websites and browsers -This practice is becoming more and more common: certain websites take advantage of their users’ Internet connections without telling them, putting them to work mining cryptocurrencies, thus tricking these users into allowing third parties to use their computers.

Recommendations:

If you’re worried that cryptojacking could take over your company, we’ve provided some tips on how to avoid it:

  1. Analyze your resources. All operating systems have some kind of tool similar to System Monitor that analyzes the resources that are being consumed by your company’s computers at all times. Keep track of this to make sure there is no unusual activity.
  2. Processor overheating. Sometimes you won’t even have to resort to System Monitor: if you notice that a computer is suddenly malfunctioning or its processor is overheating, you may well have a problem of this type.
  3. Careful with your browser. If you suspect that cryptojacking is getting in via websites, install plugins to block these sites on your browser. You can also check what websites are using this practice on Whoisminning.
  4. Use and maintain antivirus software. Antivirus software recognizes and protects a computer against malware, allowing the owner or operator to detect and remove a potentially unwanted program before it can do any damage.
  5. Keep software and operating systems up-to-date. Install software updates so that attackers cannot take advantage of known problems or vulnerabilities.
  6. Use strong passwords. Select passwords that will be difficult for attackers to guess, and use different passwords for different programs and devices. It is best to use long, strong passphrases or passwords that consist of at least 16 characters.
  7. Change default usernames and passwords. Default usernames and passwords are readily available to malicious actors. Change default passwords, as soon as possible, to a sufficiently strong and unique password.
  8. Check system privilege policies. Review user accounts and verify that users with administrative rights have a need for those privileges. Restrict general user accounts from performing administrative functions.
  9. Be wary of downloading files from websites. Avoid downloading files from untrusted websites. Look for an authentic website certificate when downloading files from a secure site.
  10. Disable unnecessary services. Review all running services and disable those that are unnecessary for operations. Disabling or blocking some services may create problems by obstructing access to files, data, or devices.
  11. Uninstall unused software. Review installed software applications and remove those not needed for operations. Many retail computer systems with pre-loaded operating systems come with toolbars, games, and adware installed, all of which can use excessive disk space and memory. These unnecessary applications can provide avenues for attackers to exploit a system.
  12. Validate input. Perform input validation on internet-facing web server and web applications to mitigate injection attacks. On web browsers, disable JavaScript execution. For Microsoft Internet Explorer, enable the cross-site scripting filter.
  13. Install a firewall. Firewalls may be able to prevent some types of attack vectors by blocking malicious traffic before it can enter a computer system, and by restricting unnecessary outbound communications. Some device operating systems include a firewall. Enable and properly configure the firewall as specified in the device or system owner’s manual.
  14. Create and monitor blacklists. Monitor industry reports of websites that are hosting, distributing, and being used for, malware command and control. Block the internet protocol addresses of known malicious sites to prevent devices from being able to access them.

References:

US CERT Security Tip (ST18-002) on Defending Against Illicit Cryptocurrency Mining Activity https://www.us-cert.gov/ncas/tips/ST18-002
CERT-EU Security Advisory 2017-024 on Increased Use of Browser Cryptojacking  https://cert.europa.eu/static/SecurityAdvisories/2017/CERT-EU-SA2017-024.pdf
Panda Security article on Everything you need to know about cryptojacking
https://www.pandasecurity.com/mediacenter/security/cryptocurrency/