Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/1/2020
10:00 AM
Matt Honea
Matt Honea
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Cryptojacking: The Unseen Threat

Mining malware ebbs and flows with the price of cryptocurrencies, and given the momentum on price is upward, cryptojacking is a very present threat.

Cryptojacking isn't a new threat, but it's highly evolving. This type of mining malware tends to ebb and flow in infections with the price of cryptocurrencies. The bad news is that cryptojacking is experiencing new upward momentum in 2020. As background, 2018 was one of the biggest years for cryptomining malware development and proliferation. In 2019, there was a 40% drop early in the year, followed by a steady infection rate into 2020, with a slight uptick through August. Those trends line up with the price of Bitcoin over the last three years.

So, why is an old threat significant and timely news? Cryptojacking is heavily underreported in the security industry, and only a small fraction of what is out there, due to the nature of the malware involved, has been seen. When the mining malware is examined, it's incredibly lightweight, elegant, and easily changed. Its sole purpose is to calculate numbers using computer CPUs, and it's very difficult to differentiate between a legitimate script and a cryptominer's script. In addition, code is often so customized and benign in behavior that malware scanners overlook the code all together.

Given that cryptocurrency prices are rising, the number of Internet of Things (IoT) devices has doubled since 2017, mobile phones with web browsers are ubiquitous, and the number of vulnerabilities discovered has tripled over the same time period, we are facing a perfect storm of opportunity for cryptominers to evolve their tactics and create wormable mining malware for illicit gains.

Consider the following: An average CPU can process around 500 hashes per second on the Monero network. Servers have many CPUs, so they are a more lucrative target than IoT devices, but IoT devices are more numerous, and often a softer target (all targets, including IoT devices, web browsers, mobile phone, etc., are kept equal for the sake of this article and simplicity). At current prices, this hash rate translates to $0.21 per week per CPU from mining.

Related Content:

Elaborate Honeypot 'Factory' Network Hit with Ransomware, RAT, and Cryptojacking

The Threat from the Internet—and What Your Organization Can Do About It

New on The Edge: Think You're Spending Enough on Security?

One might say that's a paltry amount, but let's put it in a different perspective. The Mirai botnet infected 600,000 devices. A cross-site scripting attack on Google search could affect 6 billion devices in a single day. There are roughly 20 billion Internet-connected devices today. Even someone who could infect 10,000 of the 20 billion instances (0.00005%) could make $2,100 a week, enough to live very comfortably in most places.

Infecting All the Devices
How do you infect 10,000 devices? The easiest way is to find exploitable software in an automated fashion. Code execution is the top reported vulnerability category the last three years running. Cross-site scripting (XSS) was the No. 1 reported vulnerability through HackerOne in 2019. 

The reasons around why cryptojacking is more prolific is threefold: It doesn't require elevated permissions, it is platform agnostic, and it rarely sets off antivirus triggers. In addition, the code is often small enough to insert surreptitiously into open source libraries and dependencies that other platforms rely on. It can also be configured to throttle based on the device, as well as use a flavor of encrypted DNS, in order not to arouse suspicions.  

Cryptojacking can also be built for almost any context and in various languages such as JavaScript, Go, Ruby, Shell, Python, PowerShell, etc. As long as the malware can run local commands, it can utilize CPU processing power and start mining cryptocurrency. In addition to entire systems, cryptominers can thrive in small workhorse environments, such as Docker containers, Kubernetes clusters, and mobile devices, or leverage misconfigured cloud instances and overpermissioned accounts. The possibilities are endless.

Unbalanced Scales
The goal is to minimize detection and maximize longevity. Even with cryptocurrency prices in flux, for financially motivated actors, cryptojacking is still lucrative. Resource overhead is minimal and direct profits are obtained.

Here are three reasons why we will see continued cryptojacking growth and development:

  1. The number of potential targets is in the billions. Many devices are already infected and flying under the radar.
  2. It's direct payout for minimal effort. There is no need for additional steps to get money, such as data brokers or via "crypto tumbling," a process similar to money laundering.
  3. Cryptojacking is only one step removed from data exfiltration. Once a foothold is established within environments, cryptojacking could easily evolve into wormable malware, piggybacking on advanced techniques. It could also evolve into botnets for hire or data theft.

In addition to the huge number of targets, corporate data breaches are heavily underreported because laws vary by jurisdiction on when a company is required to report a breach. Because cryptojacking generally does not steal data or cause a business outage, no one is forcing victims to report an infection. The malware is stealthy to begin with, so it is underreported.

Cryptojacking can also target the biggest portion of IoT devices, often of which lack any malware detection. Unless a company has a well-established baseline and a tight budget, no one will be wiser.

Developing a Response
Evaluating macro trends is critical to developing cyber defenses for the future. Cryptojacking threats should be taken seriously as they can evolve into a security breach at any time. We should be hunting for cryptojacking threats at multiple levels:

  • Identifying mining algorithms at runtime rather than on disk
  • Full DNS inspection for all connected devices
  • DNS/IP alerting for known mining pools, Tor usage, or blacklisted Git repos
  • CPU/GPU monitoring for high usage
  • Temperature baseline monitoring for physical devices

In addition, more visibility into our IoT devices and containers is needed to understand abnormal baseline usage. Until the security industry as a whole is able to effectively identify this threat at scale, it will only continue to get worse.

As Senior Director of Cybersecurity at Guidewire Software, Matthew Honea is responsible for the company's corporate security strategy and implementation. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Brad Brooks
50%
50%
Brad Brooks,
User Rank: Author
10/1/2020 | 12:16:52 PM
Thank you
Thanks for your thoughts
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29458
PUBLISHED: 2020-12-02
Textpattern CMS 4.6.2 allows CSRF via the prefs subsystem.
CVE-2020-29456
PUBLISHED: 2020-12-02
Multiple cross-site scripting (XSS) vulnerabilities in Papermerge before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the rename, tag, upload, or create folder function. The payload can be in a folder, a tag, or a document's filename. If email consumption is configured in ...
CVE-2020-5423
PUBLISHED: 2020-12-02
CAPI (Cloud Controller) versions prior to 1.101.0 are vulnerable to a denial-of-service attack in which an unauthenticated malicious attacker can send specially-crafted YAML files to certain endpoints, causing the YAML parser to consume excessive CPU and RAM.
CVE-2020-29454
PUBLISHED: 2020-12-02
Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user to visit a logviewer endpoint even if they lack Applications.Settings access.
CVE-2020-7199
PUBLISHED: 2020-12-02
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gaining privileged access,...