The year cryptojacking ate the web
By Lily Hay Newman
December 24, 2018
CYBERSECURITY CAN FEEL like a chaotic free-for-all sometimes, but it’s not every day that a whole new conceptual type of attack crops up. Over the last 15 months, though, cryptojacking has been exactly that. It’s officially everywhere, and it’s not going away.
The concept of cryptojacking is pretty simple: An attacker finds a way to harness the processing power of computers she doesn’t own—or pay the electric bills on—to mine cryptocurrency for herself. Malicious mining malware has lurked for a while, but attackers didn’t realize its full potential until a group called Coinhive created a simple mining module in September 2017 that could embed in virtually any website.
Once it’s there, anyone who goes to the page will contribute CPU cycles to mining for the module’s owner for however long they have the tab open. Coinhive has said that it intended for the tool to provide an alternate revenue stream for websites, but criminals quickly realized that they could find and exploit vulnerabilities in all sorts of highly trafficked sites to quietly implant their own cryptojacking modules.
With cryptocurrency hitting all-time highs in late 2017 and early 2018, the cryptojacking’s popularity exploded. And it has since evolved and matured in all sorts of fascinating and alarming ways. Malicious miners have shown up on mobile devices, in cloud infrastructure, on Internet of Things gadgets, and even in critical infrastructure. And while donating a little bit of processing power to mining sometimes takes little toll on a victim, more aggressive miners can interfere with affected device processes, disrupt work, and even wear on them to the point of physical damage.
“When we did our midyear threat report for 2018 we found that cryptojacking had a 35 percent share of all web threats and that is honestly absolutely insane,” says Tyler Moffitt, senior threat researcher at the security firm Webroot. “This is a new threat that just came out in late September 2017. Even if it drops down to 25 percent by the end of the year, it’s still clearly a force to be reckoned with.”
Cryptojacking attacks tend to ebb and flow with cryptocurrency values. But while the initial cryptojacking gold rush has subsided somewhat, hackers can still make money off of cryptojacking because there’s such minimal overhead to run the campaigns. It can even be productive for hackers to simply establish malicious mining infrastructure in target websites or systems without actually running it, so they’re ready to act when the value of cryptocurrencies goes up.
Plus, there’s pretty much always some money to be made if you’re mining off of powerful resources like cloud servers. “With the price of cryptocurrency decreasing we saw this kind of fade a bit, but it didn’t mean cryptojacking itself disappeared. It really matured,” says Jérôme Segura, lead malware intelligence analyst at the network defense firm Malwarebytes. “The danger is if you have a cryptominer running in critical infrastructure where computers are used for specific tasks and to schedule tasks it could potentially create instability and crashes and that in turn could affect service.”
At the beginning of 2018, the critical infrastructure security firm Radiflow said that it had found mining malware in a European water utility’s operational technology network, used for monitoring and industrial control. Malicious miners have also targeted cloud infrastructure for its extensive raw processing power, which can similarly threaten uptime of vital services. For example, the cloud monitoring and defense firm RedLock said in February that Tesla’s Amazon Web Services cloud infrastructure was running mining malware thanks to an inconspicuous, but extensive cryptojacking campaign.
Browsers and malware scanners have steadily improved their defenses against cryptojacking, but the technique has evolved to counter these protections. As with other types of attacks, hackers may even eventually start obfuscating their mining code if enough defense systems are catching it out in the open. Cryptojacking has also proliferated by exploiting insecure and often unmonitored Internet of Things Devices. Cryptojacking works on all sorts of IoT devices—there are even proofs of concept that miners can run on Xbox and PlayStation consoles.
In August, the security firm TrustWave disclosed a massive cryptojacking campaign it had discovered in routers from the Latvian manufacturer MikroTik. The attack exploited a flaw to infect an initial 72,000 routers in Brazil, and then spread to more than 200,000 vulnerable units. MikroTik had patched the bug in April, but many devices didn’t receive the update, a common problem in IoT security.
“It’s a brilliant idea,” Malwarebytes’ Segura says. “By injecting the router with a crypojacking script you’re compromising any device that’s behind that router that connects to it to access the internet. Every single website the victim visits on every device on the Wi-Fi is hijacked, because it’s happening at the router level. So there’s a scalability that really makes sense for an attacker. If they compromise a router at a school or library they can have hundreds of machines behind it.”
Even though cryptojacking schemes have gotten more sophisticated, attackers are still going back to their roots, hijacking high-profile websites when the opportunity presents itself. Just last month, cryptojackers injected the Make-A-Wish Foundation website through its content management system, a type of web framework that hackers frequently target with cryptojacking scripts. And cryptojackers have learned to append cryptojacking onto lots of classic web attacks—adding malicious miners to phishing websites or bundling them into other malware downloads.
The crucial thing about cryptojacking is that it’s so easy to pull off relative to other types of attacks. “It just doesn’t cost attackers anything,” Webroot’s Moffitt says. “So it’s always going to be profitable.”
In that way, cryptojacking appeals to attackers whether they’re looking to make a quick buck or playing a long game. And with so much potential left, it isn’t going away anytime soon.
To view the original article, please click here.