Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

Cryptojacking Threat Continues to Rise

Unauthorized cryptocurrency mining can consume processing power and make apps unavailable as well as lead to other malware.

The latest malware threat doesn't encrypt your files, delete your data, steal your information, or even deface your website: All it does is steal your productivity and electricity in order to make money for the attacker. And it's becoming a huge threat to corporate IT.

Cyptocurrency miners have been in the news as legitimate miners search out towns with cheap electricity and plentiful empty space. Unethical and criminal cryptocurrency miners have discovered that the cheapest electricity is power that someone else pays for, and the most plentiful space that in someone else's data center. And the rewards of cryptocurrency speculation make the (currently small) risk of discovery worth it for many actors.

In a new report, researchers at Secureworks note that the cryptocurrency market grew from approximately $18 billion to more than $600 billion during 2017. The rise in value has been accompanied by a rise in crypto-miner malware. Secureworks says that the number of alerts related to cryptocurrency mining they've seen in their client base has jumped significantly, from 40,000 in May of 2017 to over 280,000 in October 2017. While settling back slightly, they say that the number of "cryptojacking" alerts has remained high through February of this year.

Risks Rise

Unauthorized cryptocurrency mining can cost critical servers and applications to become unavailable as their processing capacity is consumed. Even more worrisome is the fact that the threat actors, who have infected the computers with cryptocurrency mining malware, can and will deploy additional and potentially more lethal malware onto these systems, such as banking Trojans or ransomware.

"There's a temptation for people to see the miners as a lesser danger because they're less disruptive, but they're not a good thing to have on your network," says Mike McLellan, Secureworks Counter Threat Unit (CTU) Sr. security researcher. "They signify a failure of technical controls."

McLellan says that his group is trying to raise awareness of the problem so that companies will see cryptocurrency miners as a security issue on the same level as banking Trojans and other well-known types of malware because monitoring networks are seeing a shift to the miners from older types of intrusion. "I think a lot of organizations will have these on their networks," he says, simply because they're becoming a popular way for criminals to make money.

Criminals have become creative in finding ways to place cryptocurrency miners on victims' systems. "I think one of the interesting things is the sheer breadth of the delivery mechanisms being used," McLellan explains. "We've seen scan exploit techniques as well as spam and Web link poisoning."

Other researchers have found criminal networks using the NSA's EternalBlue exploit to plant miners on more than half a million PCs. Secureworks reported on attackers who exploited unpatched vulnerabilities in Oracle WebLogic servers to embed miners on both Windows and Linux servers.

Vulnerabilities in Web servers have also been exploited, as researcher Troy Mursch demonstrated when he found more than 50,000 websites (including many based on WordPress) that have been infected and are now busily mining cryptocurrency for their controllers.

Illicit Mining's Impact

McLellan says that convincing computer owners of the seriousness of cryptojacking attacks can be difficult since the immediate impact is often invisible; electrical costs can go up and server performance can go down, though it can be difficult for an administrator to point immediately at a crypocurrency miner as the reason.

Often, it's not until the miner's resource demands become too high that owners notice. "When the malware gets on business critical computers, the critical applications can become unstable or unusable because of the demands on the system of the cryptominers," says McLellan.

In many ways, the mining malware's more critical impact is as a harbinger of potential damage to come. Cryptojacking applications are a malicious payload that can be delivered through a variety of means. And if cyptojackers can be successfully delivered, so can other malware.

The rise in cryptojackers could also have an impact on open source development. Recently, criminals placed a cryptocurrency miner in a forked project on Github. Notably, this code also included limits on how much CPU resource the code could use - obviously an attempt to evade detection through one of the more notorious side-effects of miners.

"But cybercriminal cryptocurrency mining isn't just about device wear and tear, or even the power consumption involved. It's also a reflection of the ever-evolving technology landscape and the risks and threats that can come with it," Trend Micro senior product manager Menard Osena, wrote in a recent blog post. "And just like ransomware, we expect cryptocurrency-mining malware to be as diverse as they are common, using a plethora of ways to infect systems and even inadvertently turn their victims a part of the problem."

Because cryptocurrency miners tend to use existing exploit kits to carry their payload, existing defenses can work to keep them at bay. "The key message is that, if organizations are using good hygiene, they should be able to catch these," McLellan says. "On the flip side, if you do these things to stop cryptocurrency miners, you also stop a number of other threats like ransomware. There's nothing unique there, it's just about doing the basics."

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Curtis Franklin Jr. is Senior Analyst at Omdia, focusing on enterprise security management. Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
apsaraofindia
50%
50%
apsaraofindia,
User Rank: Apprentice
8/13/2020 | 2:32:53 AM
re: awesome reading
Thank you so much for this wonderful Post. This is an awesome post thank you for sharing this interesting post,apsaraofindia
singerrajinder
100%
0%
singerrajinder,
User Rank: Apprentice
1/25/2020 | 12:54:27 AM
re: awesome reading
Your content is excellent but with pics and videos, this thread could certainly be one of the best in its field. I would like to suggest use kickass proxy for using internet things.
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-35210
PUBLISHED: 2021-06-23
Contao 4.5.x through 4.9.x before 4.9.16, and 4.10.x through 4.11.x before 4.11.5, allows XSS. It is possible to inject code into the tl_log table that will be executed in the browser when the system log is called in the back end.
CVE-2021-27649
PUBLISHED: 2021-06-23
Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.
CVE-2021-29084
PUBLISHED: 2021-06-23
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
CVE-2021-29085
PUBLISHED: 2021-06-23
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
CVE-2021-29086
PUBLISHED: 2021-06-23
Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors.