Security Think Tank: Deal with cryptojacking to avoid security vulnerability

Cryptojacking has come about with the rise of bitcoin and other digital currencies using blockchain. Public blockchain relies on a number of different entities, called miners, to maintain the state of the chain and competitively create new blocks in the chain, for which they are rewarded. 

To prove they are correctly recording transactions in a new block, miners are required to calculate a signature on the new block that meets certain criteria. The only way to do this is by trial and error, adding a random value to the block until a compliant answer is achieved. The first one to achieve this receives a reward of digital currency. This stops the miners cheating, but requires vast amounts of computing power to win the race.

As a result, some have resorted to distributed computing, with or without the permission of the computers’ owners. It has also been proposed that this could be done legitimately, as an alternative revenue source for websites to advertising, and software has been developed for this purpose. This is more prevalent with some of the newer digital currencies, such as monero. Unfortunately, this software is still being used illicitly without the permission of the users visiting some websites.  

Script-based attacks are not in themselves malicious, in that they do not attempt to steal information or cause an overt denial of service, and will stop as soon as the browser or tab are closed. However, they can slow down and increase power consumption on a user’s PC and cause battery drain on mobile devices. 

The simplest way to protect against script-based attacks is to disable JavaScript. However, this is not always desirable. There are blacklist-based add-ons for some browsers, including Firefox and Chrome, that are aimed specifically at blocking cryptojacking, and others have built-in protection against it. There are also a number of ad-blocking programmes that can block crypto miners. However, the sorts of websites that host this software are typically blocked by standard web or DNS filtering systems as undesirable.

More serious cryptojacking incidents attempt to install malware on users’ workstations and on servers. Unlike conventional phishing attacks, this sort of attack would target the most powerful workstations and servers in attempts to install malware. Again, there is no intent to steal data, or to cause an overt denial of service, but in this case, the additional processor usage would be continuous, increasing the power consumption of the servers and that of the air-conditioning trying to cool them. Preventing these attacks requires the same measures as for other malware, such as application whitelisting for servers, network monitoring and anti-virus technology.

However, the most serious threat with cryptojacking is the potential for insider attacks. There have been rising numbers of cases where insiders have used company computers to mine digital currency. Such attacks are typically carried out by employees with high privilege levels, who can introduce mining software and routes to the outside, such as their home PC, and then use or sell the resource to mine digital currency. 

The danger with this is not only the unauthorised use of equipment, but the insecurity caused by opening connections onto the internet and introducing potentially malicious or poorly coded software onto the network. 

Attacks by privileged insiders are more difficult to prevent and detect, because such users can often whitelist software and override anti-virus alerts. These attacks will cause systems to slow down, and cause excessive processing use – particularly out of hours – and probably warming of the server room. These effects are not normally logged, but may be detected by network monitoring picking up illicit connections, particularly when network-based anomaly detection systems are in place. 

In summary, cryptojacking is not necessarily dangerous – in fact, the miners have an interest in keeping your systems up and running. However, it can have secondary effects, such as impacting performance and creating vulnerabilities. For the most part, it is easy to deal with using standard security tools, and if we see cryptojacking replacing advertising as a revenue source for some websites, I would expect the number of browser add-ons and endpoint software suites blocking this activity to increase.