Cyber criminals are increasingly hijacking computing power to mine cryptocurrencies. The impact is much greater than firms might think, warns Kate O’Flaherty. But what can you do about it?
Internet of Business says
Crypto-jacking – in which a hacker uses a firm’s computing power to mine cryptocurrencies – is becoming a major challenge for IT and business leaders.
The problem is wide-reaching: figures released in August by Citrix showed that 30 percent of UK enterprises had been hit by crypto-mining incidents within a 30-day period.
The poll – carried out in May among organisations with more than 250 employees – found that nearly 60 percent of respondents had detected crypto-mining attacks at some point, with 80 percent of those occurring in the last six months.
In February this year, government websites in the US and UK, including the Information Commissioner’s Office, were hit by crypto-mining attacks, undermining confidence in public sector security.
Crunching the numbers
So why do criminals do it? The answer’s simple: crypto-mining is a computing-intensive task, which is why enterprise IT companies like NVIDIA make high-end GPUs to do the number-crunching. But that hardware is expensive to buy and to run, pushing up the cost per watt of mining.
In short, crypto-mining costs real money, which makes it harder for miners and traders to profit from Bitcoin, Monero, and other digital coins.
Crypto-jacking is a lucrative business because it foists those costs onto victims, eating up processors’ MIPs, slowing down internal and customer-facing operations, and invisibly ramping up energy bills.
More, the vulnerabilities exploited by crypto-jackers can be used to introduce malware, ransomeware, and more. The Rakhni Trojan, for example, delivers either ransomware or crypto-mining software to devices after finding its way into systems.
Throttling the enterprise
And it isn’t just desktop devices and laptops that are at risk: everything from smartphones and tablets to entire back-end systems can be compromised.
In July, security researchers at Kaspersky Lab discovered a miner focused primarily on corporate networks. PowerGhost was found to have infected the servers of entire corporations, using energy at scale and throttling activity.
Crypto-jackers target all industries. “The only requirements for a successful mining scam are powerful or large numbers of devices, and a network vulnerability,” says Neil Martin, marketing manager at Panda Security.
But because attackers don’t want to be discovered, they will often hold back from using too much power. “They’re playing the long game: they won’t push too much as they want to stay as long as possible,” says Liviu Arsene, senior e-threat analyst at Bitdefender.
“Campaigns like this can make £3 million in a couple of weeks if they have the means.”
Adding to this, crypto-jacking was made easier in September 2017 when the legitimate Coinhive JavaScript miner was introduced, enabling Monero mining directly within a browser.
This has other implications. Just as the problem of ‘shadow IT’ – the use of non-sanctioned tech by staff – is growing in many organisations, so ‘shadow mining’ may be growing too. Employees may be using enterprise systems to mine for currencies while at work, in order to slash their own costs.
Earlier this year, it emerged that an IT manager at one payments company had mined 500,000 Bitcoins using surplus computer capacity overnight when the office was closed.
Stealth attacks
The challenge is that crypto-mining attacks are stealthy by nature, and so often go unnoticed.
And businesses deploying and managing Internet of Things (IoT) services need to be extra-vigilant: they’re particularly at risk due to the complexity and sheer level of connectivity in their networks, says Simon McCalla, CTO of Nominet.
“The more access points, the higher the level of vulnerability,” he explains. “Your supply chain and external partner network are always a threat for exactly this reason: they create connections and access points that must be secured to ensure you’re protected against infiltration.”
Although crypto-jacking isn’t designed to steal data, the vulnerabilities exposed by the practice should be a concern, cautions Bitdefender’s Arsene. “It could be that they have already infiltrated everything else and have simply left behind a crypto-jacker,” he says.
Meanwhile the costs of crypto-jacking go beyond soaring electricity bills, warns professor Kevin Curran, senior member of the IEEE and professor of cybersecurity at Ulster University.
“It can lead to a shorter lifespan of the affected device, as well as unexpected costs if running on a paid-for cloud service, which can be substantial if undetected for a long period,” he explains.
In the IoT, a device is usually compromised from the outside, says Martin Hron, security researcher for Avast. Like Curran, he cites problems such as the cost of electricity, performance degradation, and shortened device lifespans.
He adds: “If someone can install this onto your device, they can also steal the data from your network.”
What to do
Watch out for phishing attacks. Hackers tend to start with emails that entice victims to click on a malicious link that loads crypto-mining code onto their computer.
However, criminals will also infect a website or online advert with code that auto executes once loaded in the victim’s browser, says Jake Moore, cybersecurity expert at ESET UK.
Installing ad blockers can help, says Curran: “Many crypto-mining scripts are delivered through adverts, so an ad blocker can minimise this avenue of attack.”
He recommends extensions such as MinerBlock, Anti Miner, No Coin, and Crypto Mining Blocker. “These block CPU crypto-miners before they’re loaded and stop them from running.”
Anti-virus software can also be effective. Some products now include crypto-miner detection in their toolset, says Curran. He adds that it’s a good idea to disable JavaScript, if possible, to prevent miners from loading.
Adding to complexity, each cryptocurrency has a different method of mining, so there are multiple signs to look out for, says Dan Pitman, senior solutions architect at Alert Logic. “Right now, Monero is popular because it is quieter and can get started more quickly,” he explains.
One of the best ways to identify if systems are being used is to monitor DNS traffic, says Nominet’s McCalla. “If you see unusual activity on your network, this could be a sign that your systems are being highjacked.”
He adds: “If you are a victim of this type of attack, identify the vulnerabilities that made this possible and ensure they’re patched to stop it from happening again. Defence is the best form of attack against these criminal networks.”
A raised electricity bill is the easiest way of telling if a firm is under assault, says Forrest Williams, red team engineer, CyberArk. “If a firm is attacked and a crypto-miner is on all workstations, there will be a big boost in the electric bill.”
Or a bill that is creeping up for no apparent reason, as crypto-jackers slowly extend their presence over the long term.
But given that people are the main entry point through phishing emails and other forms of social engineering, education is the essential strategy to stop crypto-jackers from taking hold.
Firms should train staff on what to look out for. In addition, authenticating emails and two-factor verification can help to mitigate the risk.
Additional reporting and analysis: Chris Middleton.
- Read more: Cryptocurrency systems can’t scale or be trusted, says central banking organisation
- Read more: Crypto investment bank opens in Hong Kong
- Read more: AidCoin aims to restore trust in charities via crypto and blockchain
- Read more: Korean security firm announces cryptocurrency hardware wallets
Our unique connected conference programme covers the UK, Europe, and the US. In the wake of our successful London event, our Internet of Insurance US takes place in Houston, Texas, on 26-27 September. Click the logo for more details.