The Nasstarian
Brought to you by

Crypto-jacking: It’s Time for Businesses to Burn Digital Leeches

In opinon / By Phil Muncaster / 19 March 2018

As predictable as the passing seasons is the inevitability that cyber-criminals will adapt their tools and techniques over time to find new ways of making money. While the past year or two has been dominated by ransomware, culminating in the catastrophic 2017 global outages linked to WannaCry and NotPetya, the coming 12 months and beyond will see a new threat emerge. Yes, forget ransomware, there’s a new show in town and its name is crypto-jacking.

While it might appear less immediately damaging to firms, there could be a serious impact on energy costs, wear and tear and even staff productivity from this illicit use of computing resources.

What is it?

Crypto-jacking is broadly used to refer to illegal crypto-currency “mining”, done without the computer owner’s knowledge. It has grown out of the large gains to be made by using compute power to mine virtual currency like Bitcoin and Monero. This digital gold rush typically requires large amounts of computing resources, but cyber-criminals have found a way to game the system: hijack other people’s servers, endpoints, mobile and IoT devices, conscript them into large mining botnets and set them to work.

According to Cisco Talos, an average system generates about $0.25 of Monero per day, meaning that a hacker only has to enlist 2,000 machines to generate $500 per day or $182,500 per year. “Talos has observed botnets consisting of millions of infected systems, which using our previous logic means that these systems could be leveraged to generate more than $100 million per year theoretically,” it claims.

The beauty of crypto-jacking from a hacker’s perspective is that in many ways it’s the polar opposite of ransomware in that the victims often don’t know they’ve even been infected with the malware. The crypto-jacker simply sits back and watches the money roll in, and if users get wise and remove the malware, they just go out and infect some more to join the botnet. Some of the tools they use, like Coinhive, were originally intended for legitimate purposes. Others, like Crypto-Loot, were designed with more nefarious purposes in mind from the beginning.

Whatever the original purpose, infections are going through the roof as the black hats target multiple threat vectors including drive-by-attacks, malvertising, phishing emails and more.

Kasperksy Lab claims to have seen a 50% increase in crypto-jacking attacks last year, with 2.7m users attacked with malicious miners. The firm said it blocked Coinhive alone more than 70 million times. Meanwhile, Check Point revealed recently that crypto-mining malware affected a whopping 42% of global organisations during February 2018, with Coinhive and Crypto-loot the top two on its “most wanted” malware list.

Going professional

All computing devices are at risk, but organisations should be particularly on guard, because servers are most highly sought after for their relatively high computing power, according to IBM. It claims to have seen a six-fold attack on businesses in 2017, with those in manufacturing (29%), financial services (29%) and arts & entertainment (21%) most frequently hit.

“As with other attacks, server side crypto-jacking can be more complex and more complicated once it spreads,” warns Citrix. “If the attacker gets access to the infrastructure, he or she may provision additional servers – in cloud environments, expect to see new servers with high end specs and cost.” The firm has branded crypto-jackers “digital parasites” for their attempts to leech off CPU cycles for months or years, generating cash at the expense of their victims. A study on exactly how much crypto-jacking could cost affected organisations is hard to find. However, by draining corporate computing resources the malware slows down systems, uses up more energy and incurs greater cooling costs in the process. The financial impact could be high.

In February, over 4,000 websites were found to be infected with hidden crypto-mining software, including those run by the United States Courts, the General Medical Council, the UK’s Student Loans Company, NHS Inform and even the Information Commissioner’s Office (ICO). If organisations as diverse as these are being affected, it’s time to pay attention.

Time to banish the parasites

As long as it remains financially lucrative for cyber-criminals, crypto-jacking is here to stay. There have even been reports of potential state-sponsored efforts launched from inside North Korea. The question is: how do I stop my organisation falling victim?

The good news is that if you follow best practice security, you’ll stand a good chance of remaining as resilient as possible to this modern strain of digital parasites. That means holistic, multi-layered security including:

  • Regular security audits to check for malware
  • Regular risk assessments to spot vulnerabilities
  • Regular system updates to ensure the latest patches are applied to servers and endpoints
  • Intrusion detection and prevention to block attacks
  • Anti-malware on endpoints and servers
  • Updated user education to spot phishing attacks, not click on suspicious links etc
  • Change device credentials from default
  • Mobile device management
  • App whitelisting

So, if your systems seem to be more sluggish then usual with high CPU usage and you hear “the whine of maxed-out RPM on the cooling fans”, it might be time to run a check and see if your organisation is playing unwitting host to a digital parasite.

Read about how Nasstar protects our clients from both internal and external threats in our short guide.

Phil Muncaster

Phil Muncaster

Phil is an internationally known technology writer, having regularly written for The Register, InfoSecurity and IT Week on the subject of technology, IT and security.

Comments powered by Disqus