Cryptojacking – Leeches of the Internet

Hello, this is Paul Bergson again with another topic on security. The threat of malware continues to impact business with no relief in sight. The latest topic brought back childhood memories of how the “Leeches” of the internet prey upon unsuspecting victims.

It has been a beautiful summer in the Minneapolis, MN area this year with plenty of opportunities to cool off in one of our thousands of lakes. I remember as a kid one day we went, the water was warm but not very clear and there was plenty of vegetation in the water where we were. One day in particular 2 brothers and 2 cousins of mine, were splashing and playing in the water without a care in the world. There weren’t any exposed threats that other parts of the country/world have to watch out for such as jelly fish, sharks or water snakes, etc…

We hung out and swam for an extended period of time before we decided to swim back to shore. I was the first one out and was drying myself off when I hear this scream from my cousin as he was stepping onto dry land. As I looked over at him, he had what initially looked like a bunch of small black mud spots stuck to his skin but under closer inspection were water leeches. The leeches had “Hijacked” his circulatory system for food (energy). Initially he yanked a couple off but that hurt him, so someone ran and got some salt. The salt got the leeches to release themselves but we decided to stay out of the lake the remainder of the day as well as stay away from the that part of the lake in the future.

Hopefully I haven’t lost any readers thinking they are on the wrong technical website. My point in the story above is how Cryptojacking malware authors can be equated to leeches of the animal kingdom. When someone swims by there malware on the web, and victims are susceptible to attack malware miners will latch onto you and start to leech away your computer resources.

What is “Cryptojacking” and malware miners you ask? Read on…

In 2017 there was an onslaught of Ransomware with several high-profile attacks, but recently Ransomware has taken a back seat to the assault of Cryptojacking where attackers are in the pursuit of cryptocurrency. This isn’t to state that Ransomware has gone away, it hasn’t but the level of Cryptojacking attacks is now being reported to be more prevalent than Ransomware attacks.

Cryptocurrencies are based upon solving complex mathematical problems with miners (Machines running to solve these mathematical problems) being rewarded with crypto coins for solving the problem on a blockchain. Bitcoin cryptocurrency for example has a finite number of coins that get more and more difficult to obtain as the pool of coins begins to exhaust. Since it becomes more difficult to solve the mathematical problems, more CPU/GPU’s cycles are needed to a mine a coin. This leads to a rise in energy costs to mine a coin. With the rise in demand for CPU/GPU cycles to solve the ever-growing mathematic complexity, most ordinary users can’t afford the equipment or the associated energy costs to mine on their own. On average Bitcoin miners, currently mine ~1,800/day and at the current rate of ~$6,000/coin (7/12/2018) this means there is $10 million in new Bitcoins mined every day. As the compute complexity increases so does the electrical energy required to complete the task, there are projections that put the price to mine a single Bitcoin by 2022, somewhere between $300,000 – $1.5 million. *1

Since attackers can’t afford the compute power nor the associated energy costs for cryptocurrency mining, they look for ways to gain access without having to pay for it (Steal it). The cryptocurrency creation market is a multi-billion-dollar market and there are over 1,000 different virtual coins. Some of these coins are more established and used for exchange of property and/or services.

Bitcoin has the largest Cryptocurrency exchange rate from virtual to physical, but the Monero crypto coin is the choice for malware mining, since it is easily mined with CPU’s. Monero transactions provide a greater veil of secrecy than Bitcoin and as such are becoming more established in the Dark market. Tracking the usage of Bitcoin transaction can be accomplished whereas Monero provides a more anonymous transaction. Anonymity is crucial to illegal activities such as Cryptojacking and Ransomware assaults, because of this the dark markets have seen a rise in the use of Monero. With increased use, comes increased demand which then drives up the value (Exchange rate) of the Monero crypto coin.

So why all this talk about crypto currencies and how they are mined? “The surge in Bitcoin prices has driven widescale interest in cryptocurrencies”. *2 Attackers need CPU/GPU cycles to mine and Crypto”Hi”jacking can provide this service. Cryptojacking occurs when a malware attacker hijacks a victims computer to mine for Cryptocurrency without their permission. In many instances it occurs within the browser of the victim (drivebys). Symptoms can include the computer heating up, the fan running at a high rate when there isn’t any real activity occurring on your device and/or response times are sluggish.

The attacker isn’t selective on the device, they just want CPU cycles to help them compute the algorithm, devices could be desktops, laptops, servers or even mobile devices. There have been reports of Android devices being damaged from the battery overheating, causing it to expand which results in physical damage to the device. *3

Consumers aren’t as apt to report a Cryptojacking attack. They haven’t physically lost anything, and the increased use of electrical energy (Energy costs) would be hard to itemize and like other forms of malware it is very difficult to trace the source back to the malware author. Cryptojacking is growing rapidly, according to a study released by McAfee in June 2018, “coin miner malware grew a stunning 629% to more than 2.9 million known samples in Q1 from almost 400,000 samples in Q4”. *4 Cryptojacking malware kits are now for sale on the Dark market, so many unscrupulous individuals with lesser technical skills can wage an attack.

How it works:

There are two forms in which Cryptojacking can be delivered:

  • Victims inadvertently load malware on their machines from a phishing attack. The code runs a process in the background that is unknown to the victim.
  • Victims visit an infected website that launches a fileless script (Usually JavaScript) within the browser (Drive by attack)
    • When an Advertisement pops up on a legitimate website, many times the owner of the website doesn’t have control over the script that runs in the pop-up. This pop-up can contain a Cryptojack script that can run until all threads of the browser have been terminated.

There is also a semi-legitimate form of remote mining that is being offered as a service. For example, Coinhive – Provides subscribers a JavaScript miner for the Monero Blockchain as a way to offer an alternative to have ads on their website. Most AdBlockers now block the use of Coinhive even if the user approves of it at the host site requiring approval of the coin miner running on your local machine while visiting their website.

Cryptojacking attacks aren’t just the problem for consumers, with cloud usage exploding, businesses need to protect ALL devices they manage. Cryptojacking malware was recently discovered running on an AWS hosted website. Imagine a farm of servers compromised with Cryptojacking malware, where costs for cloud resources is measured by the usage of compute resources. *5 Left unchecked this malware infection could have a measurable impact on the budget of the victim’s server farm.

Cryptojacking is no different than any other malware. Systems can be protected from it and the steps required are mostly the same as other forms of malware.

Defenses:

  • Ensure systems are up to date on patching
  • Ensure systems are up to date on AV signatures
  • Blacklist known mining sites
    • Chrome, Firefox and Opera users can install the extension “No Coin” (Open source from MIT) to block miner malware
  • Adblockers can prevent the loading of mining scripts, but Malware is learning how to bypass them
  • Disable JavaScript in Browsers
    • Some browsers have extensions to control blockage (whitelist sites) of scripting engines such as JavaScript
      • Example “No Script” *6
  • Remove any browser extensions that may have been compromised
  • Server monitoring
    • Note any unexpected/radical changes in CPU usage
  • User education
    • Watch for changes in CPU use
    • Device heats up/Fan speed increases
    • Internet browsing/computer response slows down

Microsoft Defenses:

  • Windows Defender SmartScreen *7
  • Windows Defender Exploit Guard – Network Protection *8
  • Windows Defender Anti-Virus (WD AV)
    • Signature based malware protection
    • Enable “Potentially Unwanted Applications” (PUA) *9
  • Windows Defender Advanced Threat Protection (WD ATP)
    • Invisible Resource Thief’s *10
  • Whitelisting approved scripts, executables and DLL’s
    • AppLocker *11 *12
    • Windows Defender Application Control *13

Hopefully readers are better informed and prepared to protect themselves against these “Leeches of the Internet”. After all, Cryptojacking is just another form of malware, Malware authors use to steal people’s money and/or possessions. Please read over & put into practice the defenses called out in this Blog and protect your business, family, friends and your own equipment.

References:

  1. https://www.bloomberg.com/news/articles/2017-11-09/bitcoin-s-exorbitant-energy-costs-may-prove-to-be-biggest-risk
  2. https://cloudblogs.microsoft.com/microsoftsecure/2018/03/13/invisible-resource-thieves-the-increasing-threat-of-cryptocurrency-miners/
  3. http://www.ibtimes.com/android-malware-mines-monero-can-literally-destroy-phones-2629933
  4. https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-jun-2018.pdf
  5. https://nakedsecurity.sophos.com/2018/02/27/unsecured-aws-led-to-cryptojacking-attack-on-la-times/
  6. https://en.wikipedia.org/wiki/NoScript
  7. https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview
  8. https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard
  9. https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus
  10. https://cloudblogs.microsoft.com/microsoftsecure/2018/03/13/invisible-resource-thieves-the-increasing-threat-of-cryptocurrency-miners/
  11. https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview
  12. https://blogs.msdn.microsoft.com/aaron_margosis/2018/06/26/announcing-application-whitelisting-with-aaronlocker/
  13. https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control