A slew of cyber security reports identify illicit cryptocurrency mining or cryptojacking as one of the most popular and fastest-growing forms of cyber criminal activity, with many containing warnings for business.
Cyber criminals are cashing in on the growing popularity of cryptocurrencies, and because cryptojacking is an easy, low-risk way for them to make money, the practice is only expected to grow.
According to the latest cyber threat index report by security firm Check Point, cryptojacking malware has grown considerably in recent months, affecting 42% of organisations worldwide in February.
This month, researchers at Imperva reported the discovery of a cryptojacking attack they said is more complex than its forerunners in terms of evasion techniques and capabilities, and which heralds a new generation of cryptojacking attacks that are aimed at both database servers and application servers.
Although some recently-discovered cryptojacking campaigns have compromised websites to hijack the computing resources of visitors to those sites temporarily through their browsers, corporate servers offer more computing power and are a much more attractive target.
Although businesses need to be aware of both types of cryptojacking attack because website compromises could lead to brand damage and affect web-based services, cryptojacking attacks that target corporate servers arguably represent the greater risk.
The main aim of cryptojacking is to hijack computing power to carry out the calculations required to generate cryptocurrencies, but that does not mean there is not a significant impact on the business.
The most obvious effect is that businesses may experience a slowdown in responses from their servers and there may be some availability issues because of illicit cryptocurrency mining activity, causing costly downtime, especially to online businesses.
However, security experts point out that the operators of these illicit cryptocurrency mining activities are focused on generating funds for their cyber criminal operations without attracting attention. As a result, illicit cryptocurrency mining and associated malware are typically designed to operate unseen, avoid detection for as long as possible, and cause the least possible disruption.
Increased power consumption
For this reason, most illicit cryptocurrency mining takes place outside business hours, and the most obvious impact of this is increased power consumption as servers will be running 24 hours a day.
This, in turn, has an impact on the performance of processors during business hours and can drastically shorten their lifespan due to excessive wear and tear caused by the resource-intensive cryptocurrency mining process. This typically forces targeted organisations to replace their server processors more frequently and drives up hardware costs as processes are continually running at peak performance, with little or no downtime.
But avoiding unnecessarily high power consumption, degraded processor performance and reduced processor lifespans are not the only reasons businesses need to be on the lookout for these attacks.
The important point is that to stay under the radar, cryptojacking attacks are looking for, and finding, increasingly clever and sophisticated ways to bypass security systems and tap into computing resources.
Most cryptojacking attacks involve exploit kits such as the RIG exploit kit for Flash, Java, Silverlight and Internet Explorer, or custom malware that is designed to install some form of cryptocurrency mining software on targeted machines and then transfer the generated funds to cyber criminals’ wallets.
As cyber criminals find ways into organisations for their illicit cryptocurrency mining operations, security experts warn that the criminals are not only identifying weaknesses they could exploit in other ways, but are also establishing footholds within organisations that could be used for other forms of cyber attack.
“It is therefore important for organisations to find out if they have illicit cryptocurrency miners on their systems because that could indicate that attackers have found security vulnerabilities that the company is not aware of or has failed to fix,” said Nathaniel Wallis, security specialist at Axial Systems.
“Cyber criminals who have penetrated organisations’ security to hijack computing resources could change tack and exploit the vulnerabilities used for cryptojacking in another way, such as stealing credentials or data.”
Read more about cryptojacking
At the same time, those vulnerabilities and even the crytojacking malware itself could be exploited by other attackers to carry out a range of cyber crime activities.
“The concern is that if cryptojacking malware is getting in, other types of malware could be finding their way into the organisation exploiting the same vulnerabilities,” said Wallis. “And if cryptojacking malware has got in and acquired some permissions, that malware could be hijacked by other cyber criminals wanting to use those permissions.”
Awareness of cryptojacking is increasing, said Wallis, with most of Axial Systems’ customers in both the public and private sector requesting help to block, detect and eradicate such attacks. However, because most organisations are likely to attribute poor system performance to environmental and other factors, many are unaware that they have been infected with cryptojacking malware.
At the bare minimum, organisations should ensure all their systems are patched up to date, he said, because many cryptojacking attacks are being enabled through exploit kits that provide standard exploits for commonly used business software.
“Failure to patch and poor system configuration, especially where cloud-based services are involved, are among the most common ways organisations are allowing attackers to access business systems and networks,” said Wallis. “I have seen quite big businesses leave cloud services public-facing, when they should have been made private during the configuration process.”
Next, organisations typically need to improve their visibility of what is going on in their network, so that they can identify any activity that is not associated with their core business activities. “If you can’t see what is going on, you can’t protect yourself from anything,” said Wallis.
Full visibility requires a combination of full packet capture and full performance management so that organisations can know what their systems are doing and how they are interacting.
Performance management systems
Performance management systems can be useful in detecting cryptojacking attacks, said Wallis. “In one private sector organisation, it was the performance management system that raised the alarm by highlighting the fact that computer resources were being used during non-business hours,” he said.
“The malware had been designed to remain inactive during peak times, but start cryptomining processes as soon as business hours were over, but this went undetected for a long time until the performance management system was implemented.”
Wallis also recommended monitoring entity behaviour to ensure all systems are working as intended and are implementing network segmentation. “This is one of the most fundamental things that organisations should be doing,” he said.
According to Wallis, organisations that fail to segment their networks and implement rules about what systems are allowed to interact are making it easier for cyber attackers to move laterally across networks without restraint and escalate permissions until they have full control to install and run software.
“There are really no longer any excuses for not segmenting networks because there are many tools available that make it relatively quick and easy,” he said, adding that few organisation would fail to fit and use locks on doors to sensitive areas of the building, and yet many are doing just that in cyber space.
“Just as you have to lock doors to protect people, processes and information, you have to make sure that sensitive data in a network is protected,” said Wallis. “But if you have a flat network, you don’t have that protection because anyone getting access to the network can access anything on that network, including personal data and intellectual property.
“Like patching and good system configuration, segmentation requires some effort, but there are tools to help and if organisations put that effort in, they can get to a good place and make it difficult for cyber criminals to carry out attacks.”
Behaviour analysis systems
As part of a comprehensive, layer-based approach to security, organisations can also consider behaviour analysis systems to identify any anomalous activity on the network, said Wallis. “In this way, organisations will be more likely to see when cyber attackers are trying to download and install cryptominers or transfer cryptocoins to digital currency wallets outside the organisation.”
Ensuring good access controls, monitoring virtual private network access, and carefully managing secure shell (SSH) keys are also good ways to limit and detect cyber criminal activities, he said.
Once illicit cryptocurrency mining operations are detected, it is important for organisations to understand how the malware got in so that the associated security vulnerabilities can be fixed, said Wallis. “Security is a continuous cycle of prevention, detection and improvement when things go wrong,” he added.
The low-risk, high-reward nature of cryptojacking means it is expected to ramp up even further in the coming months, so organisations should be on the lookout for signs of it and, once identified, use it to identify and plug gaps in their cyber security defences.