What do you do when your network performance starts to lag? Check up on employee web usage and enforce stricter policies? Look into bandwidth usage and ensure proper load balancing? Make sure your apps are properly configured and secured? Pay for more data storage capacity and transmission links?
All of those may be the right response. But none of them gets to an increasingly common type of malware attack called cryptojacking.
Cryptojacking: Using YOUR resources for THEIR benefit
In a cryptojacking attack, malware that lets the attacker control a computer is infiltrated into as many devices as possible, and then those devices are used to mine cryptocurrency for the attacker’s benefit. The devices that are controlled in this way are basically quite similar to a traditional botnet, but instead of being used to launch large-scale DDoS attacks, they are simply put to work processing highly complex calculations in order to produce cryptocurrency.
Cryptojackers need to take control of a lot of devices (or high-capacity devices like cloud servers) to make significant financial gains. In one 2020 case, a student at Louisiana State University (LSU) confessed to having taken control of 169 university computers and using them to mine crypto. He netted a profit of about $2,500 over the course of the two years that his scheme was in effect.
In the LSU case, the perpetrator loaded the cryptomining malware directly onto each computer using a thumb drive. However, the malicious code used to hijack your devices is far more likely to be delivered via a phishing email or embedded in a compromised or malicious website.
The popularity of cryptojacking varies along with the prices of cryptocurrencies — when prices spike, so do cryptojacking attacks. Although this type of attack was only discovered in 2017, by 2018 it was found to constitute 35% of cyber threats, according to Wired, giving ransomware — the perennial champion — a run for its money.
Cryptojacking rarely results in any serious damage to the victim, beyond impaired performance, increased electric bills, and higher IT overhead costs as attempts are made to address performance issues. But in some cases, it may place such high demands on the CPU that devices can overheat and suffer physical damage.
More alarming, there has been at least one case of an attack on critical infrastructure, in which the operational technology network of a European water utility was found to be infected with cryptojacking malware. Industrial control systems (ICS) typically need to have a lot of processing power available, most of which is only used occasionally. This excess available processing power, along with normally high electric usage and, often, legacy systems that are relatively easy to breach, may make such infrastructures especially attractive to cryptojackers. Such attacks could easily lead to significant real-world consequences if they overwhelm ICS processors and bandwidth, leading their applications to pause or crash.
Detection and prevention
Detecting cryptojacking in progress can be challenging. One possible sign is a sudden increase in IT calls about slow performance. Another can be increasing electrical bills. Syslogs should be able to reveal high processor usage during off hours, another potential giveaway. But modern mining malware is carefully designed to avoid detection, with one variant turning itself off whenever it detects mouse or keyboard activity.
When it comes to prevention, use a combination of generally sound security practices along with measures specifically aimed at cryptojacking.
- Double down on user training. Because phishing attacks are a common vector for cryptojacking, everything you can do to prevent phishing will help protect you against cryptojacking. This should definitely include a modern, computer-based security-awareness training solution with a proven record of improving users’ ability to spot and report malicious emails.
- Use advanced anti–phishing technology. Another important tool for keeping cryptojacking malware from using phishing emails to penetrate your defenses is a modern, AI-powered anti-phishing solution. These products learn your organization’s communication patterns and spot potentially malicious anomalies.
- Use a strong, up-to-date web filtering solution. Many vendors now include the ability to detect cryptomining scripts and keep them from running. And be sure to update your blocked list of websites to prevent users from accessing cryptojacking sites.
- Make sure your endpoint security can detect known cryptomining malware. Many vendors have added this category of malware to their signature databases. Keep it up to date to ensure you’re using the latest signature files.
- Consider using ad-blocking and anti-cryptomining extensions. Installing these in your web browsers can make a big difference in terms of blocking cryptojacking scripts, which are often delivered via web ads.
- Monitor outbound network and application traffic. Modern network and application firewalls examine and filter outbound traffic, which can help you both detect cryptojacking and disable it.
- Ensure your own applications are not compromised. If your applications are compromised by cryptojacking scripts, you may unknowingly be infecting every device that uses your public-facing applications. A strong web application firewall should be able to spot or prevent the insertion of malicious code.
- Adopt a modern approach to access control. Using a Secure Access Service Edge (SASE) network security infrastructure that includes Zero Trust Access controls will help prevent unauthorized access to your systems for the purpose of inserting cryptojacking code.
As long as money can be made by mining cryptocurrencies, you can be sure that the practice of cryptojacking is here to stay. And like most forms of malware, it’s swiftly being improved, adapting to effective security measures, combining with other threat categories, and getting better at evading detection.
For the long term, your best protection against it is to stay on top of the latest developments (this blog is a great place to do that) and make sure that your cyber security is highly effective, up-to-date, and properly configured.
Tony Burgess is a twenty-year veteran of the IT security industry and is Barracuda’s Senior Copywriter for Content and Customer Marketing. In this role, he researches complex technical subjects and translates findings into clear, useful, human-readable prose.
You can connect with Tony on LinkedIn here.