With sky-high levels of both value and hype, the cryptocurrency market is booming. As prices have soared, so has interest and incentive to mine digital currency, a resource-intensive process that requires significant computing power—and, in turn, electricity—to complete complex mathematical problems and earn coins. With the average bitcoin transaction taking enough energy to power 34.8 American homes for a day (as of July) and the most successful mining operations now conducted on dedicated server farms, the money to be made in the cryptocurrency market does not come cheap. But, as with any profitable endeavor, greed can be the mother of invention, in this case, spurring a surge in the development of malware that leeches computing power for the attacker to channel into mining.
Cryptojacking attacks siphon off victims’ CPU (computer processing unit, which carries out the machine’s work) and electricity to mine cryptocurrencies. The most frequent object of these attacks is the cryptocurrency Monero, which has become a preferred coin on the Dark Web because it offers more privacy than bitcoin. Further, the way Monero is built means that any machine can mine for it, whereas mining bitcoin requires specialized hardware that most users do not have. The concept is relatively simple: Rather than get victims to give them cryptocurrency, attackers use victims’ resources to generate coins for themselves, eliminating most of the fixed costs. And, as the funds go directly into the criminals’ digital wallets, profits are also far more anonymous. Hackers are deploying cryptomining malware across a broad range of targets including smartphones, PCs, servers and IoT devices and have found ways to incorporate mining code into websites, drawing resources from browsers in fileless attacks.
These attacks are simple but efficient, offering a means of monetizing infections or access to users’ systems. Cryptomining malware is abundantly available for purchase on the Dark Web and requires relatively little effort to spread, compared to more targeted and labor-intensive hacks, making it a relatively easy option for individuals of different skill levels to deploy.
According to its June threat report, researchers from McAfee Labs saw a 629% increase in coin miner malware in the first quarter of 2018, jumping to more than 2.9 million total known samples from around 400,000 in Q4 2017. “This suggests that cybercriminals are continuing to warm to the prospect of simply infecting users’ systems and collecting payments without having to rely on third parties to monetize their crimes,” the firm noted.
Also in June, Kaspersky Lab reported that the number of users who have encountered mining malware increased by 44% in the past year. The firm called the rise of malicious cryptominers a “game-changer” for malware, noting the lower but longer-lasting income will ensure its spread, continuing to attract more threat actors.
Ransomware has seen an exponential rise as a top form of attack and made headlines with crippling incidents in recent years, and cybercriminals will not stop using this malware any time soon. But while ransomware generates large one-time payments, such attacks require more investment from attackers and limit the returns. “If you invest in a company and they pay out, you can’t attack and charge them again—the company would say they have already paid and won’t again,” said Carles Lopez-Penalver, analyst at cybersecurity firm Flashpoint. “With cryptojacking, however, it’s more of a long-term investment. Cybercriminals are investing work to develop very good malware because it could be more profitable than other malware, depending on how many devices they infect or how long it goes undetected.”
While cryptojacking payouts can be slow and small, they can offer a steady stream of income with relative ease as long as they go undetected, and as this strategy makes mining relatively resource-neutral, any earnings are essentially pure profit. As such, these attacks are really a game of scale, generating more substantial earnings as the malware infects more devices or websites. Better malware authors see better returns, but with millions of samples of mining malware recently recorded, it is clear that a wide range of cybercriminals are refining their ability to exploit this rising threat vector.
Cryptominers also offer an efficient way for cybercriminals to profit off their other work, leading many malware authors to add mining features into their attacks as a form of secondary payload that generates passive income. Some are also repurposing existing exploits for cryptojacking campaigns. For example, the EternalBlue exploit used in the WannaCry ransomware attacks has been repurposed for a cryptojacking campaign called WannaMine.
Attack via Malware
As with other forms of malware, cybercriminals can directly attack vulnerable computer infrastructure, launch phishing campaigns with malicious attachments, or create malicious mobile apps to infect computers, servers and phones with cryptominers. Servers are the top target because of their high level of computing power, particularly in large enterprises, but any endpoint can have power worth siphoning.
IoT devices are also prime targets: rapidly proliferating, highly vulnerable, and notoriously often unsecured, there are millions of connected items waiting to be exploited. Hackers routinely find ways to access these devices, but there is not always a profit to doing so outside of more targeted attacks. Cryptojacking offers a way to monetize this capability and the profits can add up significantly.
“Cryptojacking gives criminals direct financial incentives to break into as many systems as they can, and maintain their access over long periods of time,” explained Sherri Davidoff, founder and CEO of LMG Security, and instructor of a recent Black Hat webinar on cryptojacking and IoT. “Unlike ransomware, cryptojacking does not tend to cause a sudden, dramatic outage or event. Instead, criminal cryptominers can lurk on your systems for months or years before they are discovered. These can cause instability in your physical infrastructure, increased power costs, slowness, poor performance and more.”
She added, “IoT devices are a cybercriminal’s dream. In the enterprise environment, they are ubiquitous, but very hard to track. IT teams tend to focus on servers and workstations, and the IoT devices throughout your buildings are largely overlooked. They often remain unpatched and vulnerable for years. When IoT devices do get hacked, it often goes unnoticed.”
At this year’s RSA Conference, antivirus software provider Avast conducted a demonstration on the show floor, installing cryptomining malware on devices including a smart television and mobile phones. Infected devices run slower and heat up as the miner demands processing power, so as this heat is one of the primary signs users of an infected phone will notice, the team even set up an infrared camera to examine the differences between an infected and a clean device. While it did feel warmer to the touch and the camera picked up a difference, the magnitude was such that the average user might not notice it or distinguish it as being any different from the typical heating caused by longer periods of use.
In extreme cases, when attackers do not moderate the processor demand, mining malware has led to enough overheating to cause physical damage or break the infected device. Laopi malware, for example, put such demands on the CPU of infected Android phones that heat-related battery swelling broke them. Smart malware authors typically take care to limit the power they leech to avoid detection for as long as possible.
Mining malware is not exactly new—indeed, the FTC cautioned consumers and brought enforcement action in 2015 over the mobile app “Prized,” which installed malicious software to mine for virtual currencies for the developer’s profit. In a recent alert, the commission warned about the evolution of cryptomining schemes and specifically noted the evolution of cryptojacking to include in-browser attacks where cryptomining code is embedded in websites and ads. According to an FTC blog post on the subject, “You might make an unlucky visit to a website that uses cryptojacking code, click a link in a phishing email, or mistype a web address. Any of those could lead to cryptojacking. While the scammer cashes out, your device may slow down, burn through battery power, or crash.” And if regulation is the benchmark that a threat has become a trend, cryptojacking has arrived: The FTC now accepts official complaints from consumers who think they have fallen victim to one of these sites.
Last fall, when the cryptojacking boom was beginning, cybersecurity firm AdGuard reported that at least 220 of the top 100,000 sites launched miners when a user opened their main page. While that figure appears small, those 220 sites reach an aggregated audience of 500 million people, and Coinhive had only launched a month before—the use of in-browser cryptomining scripts has only grown exponentially since then. AdGuard estimated a joint profit of about $43,000 after three weeks, at almost no cost to the attackers.
Attackers have been able to compromise popular web plugins, ad networks, and content management systems like Drupal and Wordpress to run in-browser miners on hundreds of thousands of mainstream websites, drawing headlines for incidents involving a vast range of websites, including the Los Angeles Times, the U.S. courts system, the UK’s National Health Service and YouTube. They have also been able to hack Wi-Fi access points and then use machines that connect to the network to mine, as demonstrated in a case last winter involving customers connecting to Wi-Fi at Starbucks in Buenos Aires.
Attacks of Note
The benchmarks of success with cryptojacking campaigns most often focus on the number of endpoints impacted and the total haul for attackers, but these can be difficult to quantify and vary dramatically case by case. The LA Times incident was very limited in time and scope and reportedly netted a little over $40, while experts estimate other schemes have made millions. Between May 2017 and February 2018, for example, a massive cryptocurrency mining botnet using the EternalBlue exploit infected 526,000 machines at its peak and made an estimated $3.6 million in Monero, according to researchers at Proofpoint. In January, Cisco’s Talos research team reported that the top Monero cryptojacking operations were then making six figures a year, although the fluctuation in currency value impacts that substantially (as do the advancements in these attacks since then).
In February, security firm Radiflow issued the first report of cryptojacking in an industrial control system after finding mining malware in the operational technology network responsible for monitoring and control of a water utility in Europe. The firm did not go in expecting to find evidence of an attack—indeed, it was reportedly just installing intrusion-detection products on the network. Radiflow’s team did not think the attack was targeted, it was likely just an opportunity to access unused processing power, but the risks to critical infrastructure are cause for concern in either scenario. ICS environments like this plant have significant capacity, draw large amounts of power, and are somewhat notorious for running unpatched legacy software. The potential impact of delays or crashes due to increased demands on processor and network bandwidth could have serious repercussions in terms of operation and safety.
Recognizing the opportunity for an easy payday, there have been a number of cases involving insiders with access to enterprise servers or supercomputers, from IT professionals to academic researchers, who have installed miners themselves. The resources drawn can be fairly subtle and hard to spot, and identifying attacks can require some technical sophistication in the form of tracking network traffic, making these employees particularly qualified to run such operations and avoid detection.
“Mining and cryptocurrency are so modern that individuals who might not even be threat actors find some kind of vulnerability or opportunity and just kind of do it, even maybe as a small project on the side,” Lopez-Penalver said.
For example, several Russian scientists working at a nuclear warhead facility were arrested for allegedly using the center’s supercomputer to mine cryptocurrency, BBC reported in February. Later in the year, Chinese authorities arrested a group of 16 employees who deployed miners on thousands of computers while servicing IT contracts with internet cafes, for a profit of about $1,100.
Understanding the Stakes
Quantifying the direct cost to businesses also poses significant challenge, and estimates vary wildly. The attacks themselves vary in scope and duration, and attackers are essentially crowdsourcing resources—while it adds up, sometimes the strain on individual victims is relatively small. Unlike discrete losses in the form of a ransomware payment or breach remediation services, marginal increases in energy use or reductions in performance are effective precisely because they can be hard to identify. That does not mean they are negligible, however. Increased energy costs among large numbers of endpoints can add up significantly, performance issues could impact customers, and prolonged periods of increased strain can cause long-term damage to infected hardware, a particularly costly possibility in large enterprises.
“In general, if you have your CPU or DPU running 100% of the time for an extended period of time, this will degrade your hardware,” Lopez-Penalver explained. “Enterprises plan how long their hardware will last and, if they’re not cognizant of having cryptojacking put so much work on their servers, this will decrease the life and in turn, increase the costs. In a large enterprise, you’re talking millions of dollars.”
In the case of infected servers and PCs, even if the mining process has little noticeable impact on performance, intrusion is still intrusion, introducing the possibility of a data breach and, subsequently, a costly investigation and remediation process. “If you’re talking about an attacker entering the company’s servers, there could potentially be data leakage,” he said. “Additionally, if they’re able to access enough to set up a cryptojacking campaign within your infrastructure, they could potentially gain access to sensitive information and could further target a company.”
IoT devices typically do not hold much sensitive data, but can still cause considerable risk to enterprises when infected. “The biggest risk to IoT hacking is performance and physical damage,” Davidoff said. “When an attacker installs a cryptominer on a device, they are using processing power. The cryptomining software can easily overload the device. Imagine if your building HVAC system suddenly stopped working because a cryptominer used up too much of its computing power. At LMG, our forensics team has even seen cases where a cryptominer caused a device to overheat and catch on fire. That can destroy very expensive equipment if you’re unlucky.”
She added, “IoT botnets are just starting to become popular, and the emergence of cryptojacking may drive future development. As IoT botnet tools become more mature, criminals will add even more functionality, making it easier to hack your devices—and profit. In short, this is only the beginning for both IoT hacking and cryptojacking. Criminals will hone their skills and find new ways to make money. At the organizational level, the impact will vary greatly depending on the organization. If you are an airline or a hospital, hacked IoT devices carry life-or-death consequences. If you are a manufacturer, hacked equipment can cost you hugely in terms of productivity and repair costs.”