The existence of Bitcoin helped to grow the prorogation of ransomware by providing a veil of anonymity to malicious actors seeking unethical avenues for a get rich quick scheme. The cryptocurrency sector collectively mushroomed at a capitalized value of over $500 billion by the end of 2017. Even with the recent market correction, ironically tied directly to the CME listing and subsequent short-selling of futures contracts, the promise of an easy buck still remains active with cryptocurrencies.
Although the concept of ransomware can be traced back nearly a decade, evolution continues. Starting around 2016 malicious attackers took to the franchising model with a page from the software-as-a-service playbook and invented the ransomware-as-a-service (RaaS), model. This actually helps to onboard novice cyber-criminals in offering the ability to launch sophisticated — and profitable — attacks, while providing an additional revenue stream to malware developers.
Thanks again to the skyrocketing value of Bitcoin and “industry” innovations, barriers to entry have lowered again with the rise of “greyware” cryptominer tools. These tools are gaining traction, require less effort, and could turn out to be even more profitable and anonymous than ransomware, while quickly turning into a nefarious subset of malware known as cryptojacking.
"Cryptojacking on endpoint computers increased by a whopping 8,500% in 2017."
- Symantec Internet Security Threat Report
- 2018 Webroot Threat Report
Since cryptominer tools like CoinHive don’t harm files or the computer nor store anything on the hard drive, they are not “technically” in the malware category – more or less they’re referred to as “Greyware.” CoinHive was conceived as an ad-free alternative for website owners to generate income. Of course, cybercriminals began to hijack vulnerable websites to host scripts that would mine for Monero, which has offers increased mining performance and a private blockchain ledger that prevents tracking of transactions.
The low barrier of entry – only requiring a couple lines of code to operate – exacerbates the exponential growth of cryptojacking. Malicious coinminers are aggressively targeting users, web servers, and even entire networks in attempts to mine for cryptocurrency. If they manage to cryptojack your device, the code will immediately set your device working as a part of their malicious mining pool. These infections slow devices, overheat batteries, and in some cases, brick your device. For enterprises, coinminers can put corporate networks at risk of shutdown with inflated cloud CPU usage, added cost, increased security concerns and loss of reputation.
How cryptojacking works illustration by the European Union Agency for Network and Information Security (ENISA).
Earlier this year erroneously configured Amazon (S3) Simple Storage Service leaky buckets proved easier than ever to penetrate. Since AWS S3 access control configuration is incredibly complex, accidental public exposure is all too easy to allow by simply granting access to authenticated AWS users, which is effectively every AWS user in the world, not just those in your own organization. AWS S3 buckets have been spilling info for years, so much that a search engine to find exposed clouds has been developed known as the BuckHacker.
Leaky Amazon AWS S3 buckets are the prominent cause for the recent cryptojacking occurrence at “The Homicide Report” on the LA Times website. In addition, even real life Tony Stark, Elon Musk, fell victim to crypto mining from compromised Kubernetes containers in Tesla’s AWS S3 environment, according to a RedLock report. The Bad Packets Report suggests that nearly 400 websites have sloppy cloud infrastructure security due to Drupal vulnerabilities including the San Diego Zoo, Lenovo, UCLA, and a US federal government agency.
"Los Angeles Times' website has been silently mining crypto-coins using visitors' web browsers and PCs for several days."
-The Register, Feb 2018
Companies must take heed of these cautionary tales of woe and increase their attention to the code running on your website and, if using a megacloud vendor’s services like Amazon AWS S3, ensure that they take the required time out of their day to set up and double check the right permissions. For some entities, even large conglomerates, the DIY model of creating a cloud infrastructure in the megacloud can be a daunting task. As your dad likely said measure twice cut once. This adage can be applied to the idea of cloud services, in that it’s always better to have an expert cloud service provider (CSP) on your side, at least to double check your plans.
Along with properly managed cloud infrastructures, a holistic cloud backup strategy can be the enemy of the cryptojacking, as it is with the ransomware model. Cloud backup and disaster recovery (BDR) strategies should leverage the 3-2-1 Rule and store your backup data within a compliant cloud vault outside of your network. Best practice states that deduplication and compression assist in security and backups should always be available for expedient restores until your planned retention time expires.
Your cloud BDR solution should also include a point in time for your restores, ideally choosing from a history of frequent backups allowing for granular restores from any previous backup. It's always more efficient to state which files should be restored from which backup, rather than restoring every file to an older backup. The ability to quickly restore from cloud-based backups is an essential benefit to partnering with a custom cloud service provider.
Cryptojacking isn’t just a web server concern for IT admins but it is also hitting mobile and endpoint devices right where it hurts—battery life. This technique involves the use of scripts running on mobile versions of web pages or in mobile apps. Since exposed users are generally unaware that the script is running on their device, mobile coinmining tends to find more success because people don’t usually close browsers on their mobile device – they’ll just leave it in the background as they swap to different apps. These scripts can drain smartphones so drastically that, in some cases, overwork the hardware to the point of data loss or permanent device failure.
It’s the nature of the beast that employees will store data on laptops, tablets, desktops, and smartphones – so how do you secure and protect endpoint devices without compromising business information? Backing up endpoint devices is now more critical than ever to your business. You’ll need a comprehensive solution to protect a mobile device’s data by capturing it and backing it up to a secure cloud while providing federated search capabilities and enabling RTO/RPO plans in case of data loss or corruption.
“… the dispersion of data — which can now be stored across millions of endpoints and cloud applications — is causing heightened concern within the enterprise.“
With the growth of BYOD in the workplace and an average of 3 devices per employee, the potential for cryptomining is enormous. It’s likely we’ll begin to see mobile botnets mining cryptocurrencies, as a sufficient mass of mobile zombies can amount to significant computing power. More sophisticated mobile mining scripts exist to allow full-blown mining when they are attached to a power source, as to not alarm the victim with a suspiciously large drop in battery performance. Since most people don’t pay attention to their phones if they have them plugged in and charging, the mobile cryptominer can remain unnoticed for even longer.
Remember, not only can a company’s website be compromised, but the computers, phones and endpoint devices of employees can be at risk as well. Businesses should pay attention to this trend of hijacking company resources to mine cryptocurrencies since consistent reports are surfacing that vast numbers of organizations were or are affected by cryptojacking. Depending upon whose stats you’d like to embrace the story remains the same, malicious cryptocurrency coinmining is not just a user concern, it’s now the IT Admin’s burden.
“Cryptojacking malware has grown considerably in recent months, affecting 42% of organizations worldwide in February.”
— Check Point Global Threat Index February 2018
When it comes to thwarting cryptojacking, there’s no panacea. Just like protecting yourself against ransomware, you need to take a holistic approach to data protection. Stay proactive about your web server and cloud security, practice comprehensive cloud backups and endpoint protection then you can greatly reduce cryptojacking threats. Likewise, do your homework on whichever cloud-based service you decide to use. Find out where the servers are located and who, if anyone, has access to them.
“25% of organizations currently have cryptojacking activity in their environments.”
— RedLock Cloud Security Trends 2018
Here at KeepItSafe, we help customers and our partners thru numerous data protection situations including compliance, ransomware, and cryptojacking threats. A critical part of being resilient against cryptojacking is being able to backup and recover. Data availability is what you want when things don’t go as planned, should cryptojacking become an issue in your data center.
At the bare minimum, organizations should ensure all their systems are patched up to date because many cryptojacking attacks are being enabled through exploit kits that provide standard exploits for commonly used business software. Additionally, it’s important to note that a one-size-fits-all backup tool does not fit anyone; only a custom cloud backup strategy can protect your infrastructure. In addition to embracing a holistic backup and disaster recovery strategy, here are some recommended security measures to avoid cryptojacking:
Download a free Planning Guide
“Storage Switzerland details DR Planning from Good to Great”