To jack somebody (for something) is to steal something from somebody, especially something small or of low value. Being jacked isn’t going to ruin your life necessarily – it’s not like having your bank account details stolen or having your private credentials hacked, but it certainly is a nuisance, and if it happens every day it could definitely have a negative affect on your life.
In our blog (Security Benefits of Blockchain) we looked at how blockchain works and what security benefits such a “system” can offer. This time we’re taking a look at one of the most prominent applications for blockchain – cryptocurrencies, and the biggest new cybercrime in 2018/19 – Cryptojacking…
A cryptocurrency is a digital and global monetary system – the first and most well known being Bitcoin. Cryptocurrencies like Bitcoin allow people to send or receive money across the internet, even to someone they don’t know or don’t trust. The core innovation that makes any cryptocurrency special is that it uses consensus in a massive peer-to-peer network to verify transactions – no third party. This results in a system where payments are non-reversible, accounts cannot be frozen, and transaction fees are much lower. Major cryptocurrencies like Bitcoin are also the de-facto currency of cyber-crime like darknet markets or ransomware.
Cryptocurrency is typically purchased through an online exchange. However, it can also be obtained through a process called “mining”, by which complex equations are solved by a powerful network of computers in order to verify transactions and/or cause new currency to be released and earned. The necessary hardware and the resources needed to power that machinery can be quite expensive. Enter in cryptojacking…
Jacking the system
Not wanting to miss out on this potentially lucrative opportunity, but also in search of a scheme that would draw less attention from victims and, in turn, law enforcement agencies, cyber criminals have developed malware that mines cryptocurrency using processing power of computers they don’t own—or pay the electric bills on—to mine cryptocurrency for themselves from unsuspecting third parties. The malware is generally written to “mine” during the middle of the night to help avoid detection, and purposely at a time when the equipment and bandwidth of the third party is not otherwise in use, thereby maximising its utility. Malicious mining malware has lurked for a while, but attackers didn’t realise its full potential until a group called Coinhive created a simple mining module in September 2017 that could embed in virtually any website.
Why cryptojacking is on the rise?
No one knows for certain how much cryptocurrency is mined through cryptojacking, but there’s no question that the practice is rampant. Browser-based cryptojacking is growing fast. In 2018, Adguard reported a 31 percent growth rate for in-browser cryptojacking. Its research found 33,000 websites running crypto mining scripts. Adguard estimated that those sites had a billion combined monthly visitors.
“Crypto mining is in its infancy. There’s a lot of room for growth and evolution,” says Marc Laliberte, threat analyst at network security solutions provider WatchGuard Technologies. He notes that Coinhive is easy to deploy and generated $300 thousand in its first month. “It’s grown quite a bit since then. It’s really easy money.”
The price of cryptojacking
With cryptocurrency hitting all-time highs in 2018, the cryptojacking’s popularity exploded. And it has since evolved and matured in all sorts of fascinating and alarming ways. Malicious miners have shown up on mobile devices, in cloud infrastructure, on Internet of Things gadgets, and even in critical infrastructure. And while donating a little bit of processing power to mining sometimes takes little toll on a victim, more aggressive miners can interfere with affected device processes, disrupt work, and even wear on them to the point of physical damage.
In August 2018, the security firm TrustWave disclosed a massive cryptojacking campaign it had discovered in routers from the Latvian manufacturer MikroTik. The attack exploited a flaw to infect an initial 72,000 routers in Brazil, and then spread to more than 200,000 vulnerable units. MikroTik had patched the bug in April, but many devices didn’t receive the update, a common problem in IoT security.
“It’s a brilliant idea,” Malwarebytes’ Segura says. “By injecting the router with a crypojacking script you’re compromising any device that’s behind that router that connects to it to access the internet. Every single website the victim visits on every device on the Wi-Fi is hijacked, because it’s happening at the router level. So there’s a scalability that really makes sense for an attacker. If they compromise a router at a school or library they can have hundreds of machines behind it.
Some think cryptojacking is a victimless crime. Far from it. The damages to a victim can vary, but are likely to include one or more of the following:
- Overruns of bandwidth allowances, resulting in additional costs (e.g., power and electricity) or “throttling” (deliberate regulation of the rate of data transfer) by internet service providers.
- The risk of property damage to hardware due to overheating and other mechanical breakdown or destruction, as well as loss of locally-stored data should the hardware fail.
- Business interruption due to hardware failure and data loss, but also due to a slowdown in the ability to conduct business due to the tie-up of critical resources from mining activities, and
- Increased security risk, as security experts have advised that in the cyber criminals’ efforts to make their malware more productive, they can also disable additional security productions, open ports, and install additional malware that will carry out a different attack on the network at a later time.
- Through phishing, in which individuals are sent emails with attachments or links masked as legitimate, but in reality contain or lead to the malware, which is then secretly uploaded onto the person’s computer system.
- Through the insertion of scripts into ads on websites. Through this method, the malware is never installed on the computer system, but executed through the web browser where it directs the infected machine to perform mining activities for the benefit of the cyber criminal.
- Via Internet of Things (“IoT”) connectivity, although it remains unclear how worthwhile the hijacking of IoT devices can be for this purpose. Despite often lacking sufficient security controls, IoT devices possess far less computing power than an actual computer. There are reports, however, of botnets previously commanded to send spam messages or perform Distributed Denial of Service (“DDoS”) attacks now being retooled to mine for cryptocurrency. Cryptojacking works on all sorts of IoT devices—there are even proofs of concept that miners can run on Xbox and PlayStation consoles.