Cryptojacking, also known as mining hijacking, is the unauthorized use of someone else's computer to mine cryptocurrency.
Typically, hackers load cryptocurrency mining code onto computers by getting victims to click on malicious links in emails; or infect websites or online advertisements with JavaScript code that automatically executes when loaded in the victim's browser .
Either way, the mining code will run in the background while the unsuspecting victim can use the computer normally. The only sign they might notice is slow computer performance or lag in execution.
Why do mining hijacking incidents emerge in endlessly?
No one knows how much cryptocurrency hackers have mined through cryptojacking, but there's no doubt the practice is growing.
Browser-based cryptojacking is growing rapidly.In November last year, according toAdguard report, in-browser cryptojacking grew by 31%. Adguard research found that a total of 33,000 websites run mining hijacking scripts, and the number of monthly visits to these websites is estimated to reach 1 billion. In February this year,Bad Packets Report34,474 sites running Coinhive were found. Coinhive is the most popular JavaScript mining program and is also used for legitimate cryptocurrency mining activities.
“Cryptocurrency mining is in its infancy and there is still a lot of room to grow and evolve,” said Marc Laliberte, a threat intelligence analyst at cybersecurity solutions provider WatchGuard Technologies, noting that the Coinhive program is easy to deploy and was the first Created a value of 300,000 US dollars in a month.
"Since then, Coinhive has grown very fast. It's really easy to make money this way."
In January, researchers discoveredSmominruCryptocurrency mining botnet, the worm infected more than 500,000 machines, mainly in Russia, India and Taiwan. The goal of the botnet is to get Windows servers to mine Monero. Cybersecurity firm Proofpoint estimates it had created $3.6 million in value as of the end of January.
Cryptojacking does not even require significant technical competence.According to the Digital Shadows report "The New Gold Rush: Cryptocurrency Becomes New Frontier for Fraud", the mining hijacking kit is only sold for $30 on the dark web.
One reason cryptojacking is becoming more and more popular with hackers is that it pays more money with less risk.in addition,
in addition,Cryptojacking is also much less risky to be detected and identified than ransomware.The mining code will run silently and may not be discovered for a long time; even if it is discovered, it will be difficult to trace back to the source. Because nothing is stolen or encrypted, victims have little incentive to trace back.Hackers tend to opt for anonymous cryptocurrencies like Monero and Zcash, rather than Bitcoin, because it is difficult to trace the illegal activities behind these currencies.
How does cryptojacking happen?
There are two main ways hackers can get victims' computers to quietly mine cryptocurrency.
One method is to trick victims into loading mining code onto their computers.The hijacking is accomplished through a phishing-like method: Victims receive a legitimate-looking email, enticing them to click on a link. This link runs code that loads the mining script onto the computer. The mining script code can run in the background while the victim is using the computer.
Another method is to place scripts on websites or advertisements that can be distributed in large numbers.Once the victim visits an infected website or clicks on an advertisement that pops up in the browser, the script will execute automatically. No code is stored on the victim's computer.
Regardless of the method used, the mining code uses the victim's computer to mine and sends the results to a server controlled by the hacker.
Hackers typically use both methods to maximize returns.“Attackers use malware techniques as a fallback to deliver more reliable and persistent malware to victims’ computers,” Vaystikh said. For example, out of 100 devices that mine cryptocurrency for hackers, 10 percent of them may pass through victims. The code on the device generates revenue, 90% through their web browser.
Unlike most other types of malware,Cryptojacking scripts do not harm the computer or the victim's data. They steal CPU processing resources.For individual users, slow computer performance might just be an annoyance.For enterprises, if many systems are hijacked for mining, it may increase costs.To fix the problem, the help desk and IT department spend time tracking down performance issues and replacing components or systems.
The actual case of mining hijacking
Cryptojacking is smart and devises many schemes to exploit other people's computers to mine cryptocurrencies. Most of the schemes are not new, and their propagation methods are usually borrowed from the methods of other malware, such as ransomware or adware. Here are some real cases:
Rogue employees hijack company systems
At this year's EmTech Digital Conference,Darktrace tells the story of a European bankuse
useGitHub spreads mining software
In March, Avast Software reported that,Cryptojacking is using GitHub as a host for malicious mining software. They find a legitimate project, create a fork from it; then hide the malware in the directory structure of that fork. Cryptojackers lure users into downloading the malware by using phishing schemes, such as reminders to update Flash players or pretending to be an adult gaming website.
Exploitation of rTorrent Vulnerabilities
Cryptojackers have discovered an rTorrent misconfiguration vulnerability that allows access to some rTorrent clients without XML-RPC communication authentication. They scan the Internet for unpatched clients, and then deploy Monero mining software on them.F5 NetworksThe vulnerability was reported in February and rTorrent users are advised to ensure their clients do not accept external connections.
Chrome Malicious Plugin Facexworm
trend microtrend microMultiple Facexworms targeting cryptocurrency exchanges were discovered and capable of spreading cryptocurrency mining codes. It still uses infected Facebook accounts to spread malicious links, but can also steal web accounts and credentials, allowing it to plant cryptojacking code on those pages.
Violent mining virus WinstarNssmMiner
in may,360 Security GuardDiscovered WinstarNssmMiner, a mining hijack program that can spread rapidly. The peculiarity of this malicious program is that uninstalling it crashes the victim's computer. WinstarNssmMiner first starts the svchost.exe process and implants code into it, and then sets the property of the process to CriticalProcess. Since the computer considers it a critical process, once the process is force-killed, the computer will blue screen.
How to prevent mining hijacking?
The risk of your company being hijacked for mining can be minimized if you follow these steps:
Corporate security awareness training should include content on the threat of cryptojacking, focusing on the hijacking method of loading mining scripts onto users' computers through phishing.
Laliberte thinks training will help, and that phishing will continue to be the primary way attackers deliver all kinds of malware. As for the method of automatically performing cryptojacking by visiting legitimate websites, Vaystikh said that training is not effective because you have no way to tell users which websites they cannot visit.
Install an ad-blocking or anti-mining plugin on your web browser.
Since cryptojacking scripts are often spread via online advertisements, installing an ad blocker can be an effective means of preventing them. Ad blockers such as Ad Blocker Plus have the ability to detect mining scripts. Laliberte recommends browser plugins like No Coin and MinerBlock that can detect and block mining scripts.
Use endpoint protection technologies that can detect known miners.
Many endpoint protection/antivirus software vendors have added the ability to detect miners. Travis Farral, Anomali director of security strategy, said: "Antivirus is one of the ways endpoints can prevent cryptojacking. If the program is known, it is likely to be detected." The authors of are constantly changing techniques to avoid detection by endpoints.
Update web filtering tools.
If it has been determined that a website is running a mining script, make sure that all users do not visit the website again.
Maintain browser plug-ins.
Some attackers are using malicious browser plugins or infected legitimate plugins to execute cryptocurrency mining scripts.
Gain greater control over what's on user devices with a mobile device management (MDM) solution.
Bring your own device (BYOD) policies can be effective in preventing illegal cryptocurrency mining. Laliberte believes that MDM can keep BYOD secure in the long-term. MDM solutions can help companies manage apps and plug-ins on user devices. MDM solutions tend to be geared toward larger enterprises, and smaller businesses often cannot afford them. However, Laliberte pointed out that mobile devices are not as dangerous as desktop computers and servers. Because mobile devices tend to have less processing power, it's not very lucrative for hackers.
How to detect cryptojacking?
As with ransomware, businesses can be affected despite their best efforts to prevent cryptojacking. It can be difficult for businesses to detect cryptojacking, especially if only a few systems are compromised. Here's what works:
Train the help desk to spot signs of cryptojacking.
SecBI's Vaystikh said that sometimes, the first sign of a cryptojacking is when the help desk receives complaints from users about slowing computer performance. Companies should take this seriously and investigate further.
Other signals that help desks should look for are system overheating that could cause a CPU or cooling fan failure. Laliberte noted that overheating the system can cause damage due to high CPU usage and can shorten the lifespan of the device. This is especially true for mobile devices such as tablets and smartphones.
Deploy a network monitoring solution.
According to Vaystikh, cryptojacking in enterprise networks is easier to detect than in home networks because most consumer endpoint solutions cannot detect it. Cryptojacking is easy to detect with network monitoring solutions, and most businesses have network monitoring tools.
However, even with network monitoring tools and data, few organizations have the tools and capabilities to analyze this information for accurate detection. For example, SecBI has developed an AI solution to analyze network data and detect cryptojacking and other specific threats.
According to Laliberte, network monitoring is the best option for detecting cryptojacking. A perimeter monitoring solution that reviews all network traffic is more likely to detect mining. Many monitoring solutions will drill down on each user to determine which devices are affected.
Farral said that if the enterprise server is equipped with reliable filters to monitor the network connection requests of the egress endpoint, then the malware can be detected well. However, he cautioned that miner programmers have the ability to rewrite malware to circumvent this detection method.
Monitor whether your website is implanted with mining hijacking code.
Farral warns that cryptojackers are trying to plant some Javascript code on the web server. The server itself was not targeted, but anyone visiting the site was at risk of infection. He recommends that businesses regularly monitor their Web servers for file changes or make changes to pages themselves.
Stay informed about cryptojacking trends.
The way cryptojacking is spread and the mining code itself is constantly evolving. Knowing about cryptojacking software and hijacking behavior can help companies detect cryptojacking, Farral said. A savvy business keeps up with the latest developments in things. If you understand the propagation mechanism of cryptojacking, you know that a particular exploit kit is sending mining code. Securing the development kit will also be a measure to prevent cryptojacking.
How to deal with mining hijacking attacks?
Turn off and block malicious scripts sent by websites.
For in-browser JavaScript hijacking attacks, once cryptojacking is detected, the browser tab running the malicious script should be closed. IT departments should pay attention to the URL of the website sending the script and update the enterprise's web filter to block it. Businesses can consider deploying anti-mining tools to help prevent future attacks.
Update and clean up browser add-ons.
If a plug-in infects the browser, closing the tab won't help, Laliberte said. This is the time to update all plugins and remove unwanted or infected plugins.
Learn and adapt.
For reprinting/content cooperation/seeking reports, please contact report@odaily.com, illegal reprinting will be punished by law.
For reprinting/content cooperation/seeking reports, please contact report@odaily.com, illegal reprinting will be punished by law.
