Why cryptojacking malware may be a sign of more serious intrusion

Finding cryptojacking malware may only be a symptom of a more serious data breach.

While the value of many cryptocurrencies has recently dropped off from their record highs, they still have strong appeal to cybercriminals.

The prospect of using thousands of devices to mine the likes of Monero is too tempting to ignore and so there has been a massive spike in malware that utilizes unknowing CPUs to generate money with little to no effort for the criminals and little obvious evidence of foul play to the user.

While on the surface it may seem that criminals could be doing far worse than mining cryptocurrency on your infrastructure, there can serious consequences if you find such an infection.


The rise and fall of browser-based mining

Last year cryptocurrency mining service CoinHive released code that would allow websites to generate revenue by using the CPU of the website visitors through cryptomining. This quickly led to a new trend in malware, where hackers inject legitimate websites with mining code.

One report puts the number of websites infected with cryptojacking malware at around 35,000. A notable case was the thousands of government websites including the UK Information Commissioner's Office (ICO), National Health Service (NHS) Scotland, and the government portal of Queensland, Australia that were found to be hosting mining code. A Cisco Talos report estimates a single mining campaign could earn just under $1.2 million over the course of a year.

However, while browser-based cryptomining has proven lucrative for criminals, the boom has been short-lived. Various tools have since been released – built-in browser features, extensions, or features within security products – which block unauthorized crypto-mining, thus reducing the amount of money hackers can raise. Which has push criminals to search for new targets.


Why cyber criminals are targeting CPUs and client-side hardware

Instead of relying on websites, criminals are turning to hardware and the millions of CPUs built into the devices of all shapes and sizes out in the world.

“Traditionally you would use GPUs to mine for cryptocurrency,” says Liviu Arsene, Senior E-threat Analyst at BitDefender. “But the criminals figured, ‘why not go for CPUs?’ You have a greater number of potential targets; everything has a CPU inside it. They're not just satisfied with infecting websites and waiting for victims to browse, they actually deploy something on the endpoints that continuously mines cryptocurrencies. You have increased profitability just because you have more targets.”

Cryptomining offers a different way of making money compared to ransomware, which was the major trend for 2016 and most of 2017. Where ransomware is immediately visible – locked screens and encryption which freezes business processes are hard to ignore – cryptominers operate silently in the background. Where ransomware generates large sums from a percentage of those infected, cryptominers generate money from every infection immediately.

According to CyberArk’s calculations, an average consumer-grade Intel chip might only make an attacker $8.40 per year. While that might not be much on its own, a whole botnet’s worth of devices could yield significant results. Last year a Adylkuzz crypto-mining botnet generated over $20,000 in the space of a few weeks.

The realization that there’s money to be made from low and slow infections has led to a whole new raft of cryptojacking malware designed to endpoints of all shapes and sizes; where servers, mobile devices, industrial systems, or even cloud infrastructure. Last year part of Tesla’s AWS infrastructure was hijacked to mine cryptocurrency, as had those of Aviva and Gemalto. Earlier this year a European water utility provider was found to be the first example of a cryptomining infections within a SCADA system. Avast discovered criminals using GitHub repositories to push cryptomining code into legitimate projects.

Checkpoint’s mid-year security report said CoinHive’s code was the most prevalent malware on corporate networks globally, with around 25% of the organizations worldwide affected. When other mining malware families such as Cryptoloot and Jesscoin are included, that figure rises to around 40%. A study by Palo Alto into non-Javascript-based mining malware (so therefore less likely to be affecting web-users) was found to have earned its propagators $144 million.

Such infections enter the network in the same way as any other malware – malicious links, booby-trapped apps, corrupted files, known but unpatched vulnerabilities etc. The NSA-linked EternalBlue exploit used in the WannaCry attack and a five-year-old Linux vulnerability have both been used in different malware variants. But such attacks are harder to trace than the likes of ransomware.

“You can tweak how much of the CPU you can consume in order to fly under the radar, and attackers can make money from victims for months at a time,” says Arsene. “You just experience some slowdowns. It's harder to detect unless you have a baseline for measuring normal operation of your infrastructure on a daily basis.”

The Palo Alto study also found that attackers set mining operations only take place during specific times of the day or when the user is inactive, thus making spotting such activity even harder.

There has also been rapid innovation. Arsene says BitDefender’s research suggests there is a strong correlation between the rise in cryptojacking malware and fileless attacks, something not previously seen with older methods such as ransomware. WannaMine, another cryptominer utilizing the EternalBlue exploit, is such a malware.


The obvious (and not so obvious) consequences of cryptomining malware

When compared to ransomware, cryptojacking malware may not seem as much of a threat; processes still run and no data is locked, destroyed, or stolen. But there are still very real consequences.

Last year Kaspersky’s testing of Android mining malware led to a phone’s battery swelling and deforming, while Trend Micro found a variant that could brick devices as there was nothing in the code to manage CPU utilization. While losing a single phone may not be a problem, any malware that can physically damage hardware can pose a real threat if it infects any critical infrastructure. Security firm Crowdstrike reported in a blog that 100% of one customer’s environment was unusable due to overutilization of systems’ CPUs.

It can also lead to a massive increase in costs. Various security companies have found examples of mining malware that sits within containers such as Kubernetes, while security firm PureSec recently demonstrated a way to infect serverless functions. These cloud services often use auto-provisioning and so can be forced to utilize 100% of whatever hardware they’re running on and rapidly replicate themselves onto more nodes, leading to a massive mining farms and a large bill for the company which technically owns those instances.

“Serverless applications are a cryptojackers dream,” said Ory Segal, PureSec co-founder and CTO. “They scale automatically, and a hacker can easily turn a single vulnerable function into a virtual crypto-mining farm almost instantly.”

Even if the idea of bricked phones or bigger cloud bills doesn’t scare you, the presence of malware of any kind on a network should ring alarm bells for security teams.

“Just because it's mining for cryptocurrency doesn't mean you don't have a security gap, because how did it get there?” says Arsene. “It had to use a vulnerability to reach that infrastructure. It's probably an indication that you have a security gap somewhere.”

Evidence of cryptomining malware is definitely a sign that attackers have been present in your network, but could also mean they are still present. It’s also very possible that attackers simply left the mining malware at the end of a more serious attack as a way to make some extra cash, meaning something more impactful has occurred elsewhere.


Also read:

Why cryptojacking is an overlooked security threat

Can public Bitcoin mining be a revenue stream?