Cryptojacking has been a recent buzz word in the cyber security world. It has been on the radar since August 2017 and had increased by an alarming rate of 8500% by December 2017. This noticeable increase is mainly due to the fact that cryptojacking is the easiest and most covert way to obtain money from a victim’s machine. It is far more discreet than ransomware, where access to the victim’s files are blocked or encrypted as part of the attack and then the attacker demands a ransom to decrypt the files. In the case of cryptojacking all the attacker has to do is infect a machine and it will generate money without the victim’s knowledge. cryptojacking and crypto mining are very similar, in fact crypto mining evolves into cryptojacking when it is installed or run on a victim’s machine without authorization. Cryptojacking is the use of computer power to mine cryptocurrency without the prior consent or authorization from its users. This can only be achieved through malicious activities or other means of deception, such as hidden code in the browser that runs undetected. Browser cryptojacking is more popular among cybercriminals than malware, mainly due to the fact that in-browser cryptojacking requires no installation to run, which makes it very easy to infect users machines and operate. HOW IT WORKS? The first method is deceiving the user to open a link or download a file (usually by social engineering), following which the script runs in the background unknown to the victim. The other method is in-browser cryptojacking which runs a code in the browser when a particular site is accessed. JavaScript is used to run the cryptojacking scripts that are usually concealed in an advertisement, which contributes to the silent nature of in-browser cryptojacking. Some attackers would incorporate both methods to maximize their profit from each victim. Cryptojacking scripts do not have the intention to harm the files of the infected machine, however they cause the machine to operate at a slower rate. STEPS: The threat actor compromises a website Users connect to the compromised website and the crypto mining script executes Users unknowingly start mining cryptocurrency on behalf of threat actor Upon successfully adding a new block to the blockchain, the threat actor receives a reward in cryptocurrency coins LOSSES January 2018: a crypto mining botnet infected computers in Russia, India and Taiwan. It is estimated that half-million computers were infected, the amount of mined cryptocurrency was valued at $3.6 million. February 2018: a cybersecurity firm that operates in Spain was victim to cryptojacking. WannaMine was the script used to infect the machines which was used to mine the cryptocurrency “Monero”. February 2018: the U.S. and the U.K. government’s websites were used for in-browser cryptojacking. The U.K.’s Information Commissioner’s office website was running the cryptojacking scripts, which also infected any visitor of the website. Furthermore, the American court system website had the same cryptojacking scripts. February 2018: Tesla Inc. had been affected by cryptojacking when its Amazon Web Services software container was compromised. Such attacks have been reported to have occurred to other companies and organizations dating back to october 2017. DETECTION METHODS The first sign is that computers perform abnormally slow for their processing power, so if machines have been identified with all of a sudden lower performance, this is red flag and may be an indicator of cryptojacking. Another indicator is overheating of systems due to the usage of CPU power, especially on mobile devices. Also check for CPU high usage spikes on PCs or mainframes, high CPU usage may also be an indicator of a cryptojacking activity. Specific network monitoring tools also help companies detect cryptojacking, and many agree that this is the best detection method for large corporates. PREVENTION METHODS Spread awareness about cryptojacking among users, so they are more vigilant towards malicious websites and links. Use extensions that block domains that associate themselves with cryptojacking scripts and restrict permission for unauthorized browser extensions from gaining access or executing processes. Use a mobile device management solution to better control what users can access or have on their devices. Restrict websites that deliver scripts to prevent in-browsing cryptojacking, so employees cannot access them. HOW TO MITIGATE A DETECTED CRYPTOJACKING INSTANCE Disable network privileges for any detected cryptojacking websites/scripts, since crypto mining requires sending data out as a proof of work, and isolate and scan the machines for these malicious files and remove them. If machine performance has decreased, then identify the process which is using the most memory and verify if it has any connection with mining processes. If it does, halt it and blacklist the process, so it can not be executed anymore. Common anti-malware detection methods as well as reputable internet security products are effective against cryptojacking script files, incorporating anti-malware methods to find and remove the malicious files. CONCLUSION Cryptojacking is a new money generating scheme that has taken over the threat landscape. Users must be aware of this new lucrative method, so they can prevent any cryptojacking from occurring on their machines. Furthermore users should follow the aforementioned recommendations for preventing a cryptojacking incident. Some individuals would argue that cryptojacking is a victimless crime, the foundation of this argument is that cryptojacking does not steal the confidential information of the target nor does it harm their files, this argument is unsound; crypto mining can harm your machine, in some cases it was reported there was physical damage to some of the victim machines due to the high usage of the processing power. In addition to that, the device will perform poorly and with a significantly lower remaining processing power.
