Cryptojacking and how it came to be

Cryptojacking targets both endpoints and servers – both on-premises and in the cloud. The goal is the same: enslave a massive botnet of devices and harness CPU cycles to mine cryptocurrency with minimal cost or investment. In this article we will be exploring how crypto mining and some mitigations to prevent and detect digital parasites from leeching CPU cycles for months or even years, generating cash for its owners all the while.

Parasites in the digital world don’t kill, encrypt, or ransom the hosts as compared to the parasites in the real world. However, they do siphon off compute resources – preferably undetected. Compute resources are a valuable commodity in the world of crypto-mining. This stealthier malware phenomenon called ‘cryptojacking’ is becoming a popular payload since it’s an effective way to generate revenue with a lower chance of detection. The goal is to run undetected – stealing CPU cycles – essentially becoming a digital parasite.

Crafty adversaries driven by the opportunity of financial gain are weaponising crypto-mining to exploit the digital currency boom. Before we go any further, it is key to understand what ‘crypto-mining’ is? It is an intensive process – consistently running mathematical calculations that keep processors at 100% usage.

Professional miners make a large upfront investment in specialised hardware and infrastructure. Case in point, according to a South African gaming website, since the cryptocurrency boom, it has become extremely hard to get hands on graphics cards. They are mostly out of stock, with no guarantee on when they will be back in stock and sky-high prices are being asked for second-hand cards in local classifieds.

As more miners came online, the difficulty level adjusted so that running multiple graphics processing units (GPUs) became more effective at mining. Next came specialised chipsets or ASICs designed specifically for mining Bitcoin – these are getting smaller and more efficient. To increase the chances of pay-out, multiple miners join pools in which they are compensated based on their contribution of compute resources or hash power.

A tell-tale symptom of your CPU being used by miners is sluggishness, high CPU usage, and the whine of maxed-out RPM on the cooling fans. Cryptojacking is not just limited to laptops and PCs, mobile devices and gadgets are also susceptible, even more so since the mining scripts can run in the background or are more difficult to identify.

As with other attacks, server side cryptojacking can be more complex and more complicated once it spreads. If the attacker gets access to the infrastructure, he or she may provision additional servers – in cloud environments, expect to see new servers with high end specs and cost.

In South Africa, we haven’t as yet witnessed cryptojacking attacks, however, globally an example is WannaMine, where the attackers use ‘live off the land’ technique such as Windows Management Instrumentation (WMI) permanent event subscriptions as a persistence mechanism. It also propagates via the EternalBlue exploit popularised by WannaCry.

It’s fileless nature and use of legitimate system software such as WMI and PowerShell make it difficult, if not impossible, for organisations to block it without some form of next-generation antivirus. Defending against cryptojacking requires a holistic approach and building a security architecture with a secure digital perimeter. The approach must focus on prevention as well as detection. Citrix has partnered with multiple security companies that enhance endpoint, network, server, and cloud protection.

For enterprises, delivering a locked down Secure Browser as a service can help reduce the attack surface by blocking the mining scripts as well as blocking the periodic call-backs to the mining pools – which are the command and control for crypto mining.

A critical component is early detection of CPU spikes above normal range – typically sustained. IT Operations should have defined CPU thresholds and analytics with alerts sent to admins when the CPU usage rises above the threshold. A couple of side notes here are that the alerts should disregard the process names – the digital parasite wants to remain undetected and can be disguised to be a system service or process.

Secondly, more devious adversaries will tune down the CPU leeching to not stand out as dramatically – effectively flying under the radar. Establishing a baseline and identifying aberrations quickly is the goal. Once detected, restoring the server to a golden image makes the process easier – local backdoor accounts, services, other changes can be undone.

Protecting against cryptojacking is very much the same as protecting against other malware – however, we are looking for different symptoms and long-term effects in hardware wear and tear, user performance degradation and loss of scalability. Higher costs in electricity or cloud usage are both more intermediate financial symptoms. Stay vigilant even if there are no demand notes or immediate indicators of compromise.