Cryptojacking: The canary in the coalmine?
- By Stephanie Kanowitz
- Sep 20, 2018
Cryptojacking -- or the theft of CPU power to mine cryptocurrencies -- is outpacing ransomware as a top cybersecurity concern, reports show. It's affecting more than just business and consumer systems -- cryptojacking has showed up on government websites in India, Australia and Ireland. It has hit the U.K. Student Loans Company and even the United States Courts websites.
McAfee Global Threat Intelligence data showed ransomware attacks declining 32 percent in the first quarter of this year, while coin mining increased by 1,189 percent. On Sept. 19, the Cyber Threat Alliance reported a 459 percent increase in illicit cryptocurrency-mining malware detections among its members since 2017, a trend it said "shows no signs of slowing down." Similarly, Tend Micro’s 2018 Midyear Security Roundup found that “cryptocurrency mining detections climbed from around 75,000 detections in the first half of the year to about 326,000 in the second half. Compared to the previous half year, the first half of 2018 saw a 141 percent increase in cryptocurrency mining detections.”
Those numbers are significant, especially considering that cryptojacking, a form of malware, is a relatively new risk. It appeared for the first time in FortiGuard Labs’ Quarterly Threat Landscape report in the fourth quarter of 2017, when it affected 13 percent of organizations. That more than doubled to 28 percent in the first quarter of 2018.
“It is also showing incredible diversity for such a relatively new threat,” according to the report from the labs, part of cybersecurity firm Fortinet. “We have documented miners targeting multiple operating systems as well as different cryptocurrencies, including BitCoin, Dash, and Monero.”
The motivation behind this trend is unsurprising: money. “There’s more money for [bad actors] in cryptojacking and cryptocurrency. They make a lot more money in mining than they do in ransomware,” said Avivah Litan, a vice president and distinguished analyst at research firm Gartner. “The average ransomware payment is $550, although it is going up a lot.”
Another reason for cryptojacking’s rise is a lack of ways to find and stop it. Whereas cybersecurity vendors have developed tools to stop ransomware, “they don’t have the same kind of mechanisms in place yet to stop your computer from being used for mining,” Litan said. "It’s a matter of fine-tuning the defenses. The criminals always seem to be a step ahead of the protections.”
The concerns around cryptojacking go beyond the stolen CPU cycles -- is also opens the door to more malware to affect machines and networks, said Tony Giandomenico, senior security strategist/researcher at FortiGuard Labs.
“Larger IoT botnets are now carrying this cryptojacking malware and installing them on [internet-of-things] devices, and even IoT that are found in the home,” he said.
“Usually when you have cryptojacking on your machine, there’s a lot of other things that it ends up being able to do,” Giandomenico said. “PowerGhost is an example of a cryptojacking, and it will basically disable the [Microsoft] Windows Defender. It starts to do that collateral damage. Now it’s bringing your computer’s shields down a little bit, and now that opens up the pathway for other malware to be installed on your machine.”
The Cyber Threat Alliance called cryptojacking "the figurative canary in the coal mine, warning you of much larger problems ahead." CTA's recent report cited members who recounted "case after case of being called in to an incident response for a mining infection and finding signs of multiple threat actors in the network."
Cryptojacking also is becoming more sophisticated by using fileless malware techniques that are tougher to detect with standard defense tools, Giandomenico said.
“Typically, malware is an executable, and it basically has to install on your disk,” Giandomenico said. “With a lot of this fileless malware, what the bad guys will actually do is automatically inject purely into memory so the actual threat just resides in memory. There’s nothing on disk, so it makes it a lot more difficult for anti-malware to be able to detect that, and it also makes it a lot more difficult for forensic investigators to actually sift through that computer and find out where it is.”
Another reason for the uptick is the increase in computing devices, particularly IoT sensors. A “critical factor is the fact that these devices tend to always be on and connected, enabling attackers to load them with malware that is continually engaged in cryptomining,” according to an Aug. 13 Fortinet blog post. That has implications for government workers teleworking, accessing government networks through home devices.It’s up to agencies and users to better protect against cryptojacking, he said. The first step is to baseline internal networks and systems to know what “normal” activity looks like. “Any deviation outside of that normal behavioral pattern is a flag,” he said.
Monitoring CPUs is another way to watch for trouble. IT managers should make sure their employees know that they hear their "machine start sounding like it’s getting ready to take off like an airplane or helicopter, that’s probably the outsourced CPU spiking, and you probably want to report it,” Giandomenico said.
Other defenses include segmenting the network, staying current on basic cyber hygiene practices and working with intrusion-detection system vendors to understand their approach.
“They need to invest in the latest endpoint security software. There’s a lot of good software out there, but they have to stay up-to-date with it,” Litan added.
Cryptojacking is unlikely to be a passing fad, she said. “The criminals go where the money is,” Litan said. “Right now, there’s more money in cryptocurrency mining than in most other illegal activities or any activities that they can engage in, so they’re likely to just increasing their mining activity. The problem is not going to go away.”
Fortinet has seen rising cryptojacking attacks as Bitcoin and Moreno prices go up.
“We’re not saying that cryptojacking is overtaking ransomware. I think ransomware is here to stay,” Giandomenico said. “It’s just that the adversaries are always looking for ways to commoditize and make money, and cryptojacking seems to be one way for them to be able to do that. It’s an opportunity for the bad guys to be able to make a little bit of money to help them fund probably other types of malicious cyber activity.”