2018: The Year of Cryptojacking
Cryptojacking is a broad term used to describe the process of an attacker gaining unauthorized access to computing resources for the purposes of mining cryptocurrency. Cryptojacking is not a new concept; during Blackhat 2014 in Las Vegas, two security researchers gave a talk on how they successfully exploited free trials of cloud computing platforms in order to mine cryptocurrency. However, with the increase in compute power of consumer devices, a rise in the price of cryptocurrencies, and the creation of new cryptocurrencies that make it more difficult to trace comes the next generation of cryptojacking.
Through the years, malware was more of a curiosity and authors wrote code to annoy, vandalize, deface, wipe, steal data, or just to prove that they could achieve a particular goal. Worms like ILOVEYOU and Conflicker were wildly successful in spreading themselves to millions of computers, but there was no monetary gain or profit motive for the authors. Even traditional banking fraud with Zeus and Spyeye banking trojans still required wire transfers, human cash-out mules, and money transfer services. Credit card data theft came with the problem that the stolen data (credit card numbers) would get stale and worthless over time as banks closed compromised accounts. The invention and acceptance of cryptocurrency completely changed the profit motive for malware authors.
In the early stages of cryptocurrency-related malware, malware authors created ransomware, which would encrypt a victim’s files and demand a payment in cryptocurrency in exchange for the decryption key. This direct payment model resulted in immediate financial gainwithout middlemen or additional steps. This model worked well in developed countries where victims valued their data more than their money. In developing countries, victims would often forgo their files rather than pay the ransom. This in addition to unethical ransomware authors who would not release the decryption key even after payment was made meant that ransom payments would eventually dry up and a new form of monetization would be needed.
In general, cryptocurrencies are valued because they are difficult to obtain. The process of mining cryptocurrencies involves solving very complex cryptographic problems that require a great deal of computing power and an equally large amount of electricity. In some US states, it costs more in electricity to mine a bitcoin than what the actual bitcoin is worth in real money. This does not even factor in the cost of the mining equipment such as high-end graphics cards or Application Specific Integrated Circuits (ASICs).
With this in mind, attackers are seeing a massive upside in cryptojacking, as they can use someone else’s electricity and idle compute power to acquire untraceable currency. Every internet-connected device from university supercomputers to smart light bulbs can potentially be compromised in order to mine cryptocurrency. It is becoming increasingly difficult to mine cryptocurrency at a profit when paying for electricity, but it becomes extremely profitable when using someone else’s.
Electric car maker and solar company Tesla has become the latest victim of cryptojacking. An unsecured server at Tesla provided hackers with Tesla’s Amazon Web Services login information and the hackers were able to infect Tesla’s cloud infrastructure with cryptomining software. This represented an escalation in cryptojacking as attackers created new methods and techniques in order to evade detection. Disinfecting Tesla’s systems was fairly straightforward once the infection was discovered.
So-called next generation cryptojacking employ following evasion techniques to keep from being discovered:
- Not using a well known public mining pool like Coinhive
- Using an unlisted, semi-private mining pool
- Using a non standard port number
- Using a custom compiled cryptomining software rather than an off-the-shelf software
- Registering a CDN and public IP address on CloudFlare to hide the true destination of the web traffic
- CPU utilization was set to mimic standard CPU use and not pinned to unusually high utilization
As with all forms of malware, security researchers and vendors will be locked in an arms race with escalating detection and evasion techniques. Organizations that wish to protect themselves from cryptojacking need to employ a defense in depth strategy and select security vendors that employs equally innovative detection techniques.