Blog & Events

Mobile and Cloud Cryptojacking Skyrockets

May 16, 2018, 11:00 AM by Trenton Baker

-Endpoint cryptojacking instances up 8,500%, with no slowing in sight


Mobile and Cloud Cryptojacking

The existence of Bitcoin helped to grow the prorogation of ransomware by providing a veil of anonymity to malicious actors seeking unethical avenues for a get rich quick scheme. The cryptocurrency sector collectively mushroomed at a capitalized value of over $500 billion by the end of 2017. Even with the recent market correction, ironically tied directly to the CME listing and subsequent short-selling of futures contracts, the promise of an easy buck still remains active with cryptocurrencies.

Although the concept of ransomware can be traced back nearly a decade, evolution continues. Starting around 2016 malicious attackers took to the franchising model with a page from the software-as-a-service playbook and invented the ransomware-as-a-service (RaaS), model. This actually helps to onboard novice cyber-criminals in offering the ability to launch sophisticated — and profitable — attacks, while providing an additional revenue stream to malware developers.

Thanks again to the skyrocketing value of Bitcoin and “industry” innovations, barriers to entry have lowered again with the rise of “greyware” cryptominer tools. These tools are gaining traction, require less effort, and could turn out to be even more profitable and anonymous than ransomware, while quickly turning into a nefarious subset of malware known as cryptojacking.


"Cryptojacking on endpoint computers increased by a whopping 8,500% in 2017."
- Symantec Internet Security Threat Report

What is Cryptojacking

Cryptojacking came out of the shadows in conjunction with the debut of the CoinHive JavaScript code to mine the cryptocurrency Monero in September 2017. Instead of hijacking a victim’s files and extorting for ransom, the cybercriminals effectively hijack victims’ desktop or mobile device CPU power to covertly mine cryptocurrency when a user visits an infected site. Without a malware payload, the user remains blissfully ignorant that they’re being used.


"Since September 2017, more than 5,000 websites have been compromised with JavaScript cryptocurrency miner CoinHive to mine Monero by hijacking site visitors’ CPU power."
- 2018 Webroot Threat Report

Since cryptominer tools like CoinHive don’t harm files or the computer nor store anything on the hard drive, they are not “technically” in the malware category – more or less they’re referred to as “Greyware.” CoinHive was conceived as an ad-free alternative for website owners to generate income. Of course, cybercriminals began to hijack vulnerable websites to host scripts that would mine for Monero, which has offers increased mining performance and a private blockchain ledger that prevents tracking of transactions.

The low barrier of entry – only requiring a couple lines of code to operate – exacerbates the exponential growth of cryptojacking. Malicious coinminers are aggressively targeting users, web servers, and even entire networks in attempts to mine for cryptocurrency. If they manage to cryptojack your device, the code will immediately set your device working as a part of their malicious mining pool. These infections slow devices, overheat batteries, and in some cases, brick your device. For enterprises, coinminers can put corporate networks at risk of shutdown with inflated cloud CPU usage, added cost, increased security concerns and loss of reputation.

cryptojacking

How cryptojacking works illustration by the European Union Agency for Network and Information Security (ENISA).


Cloud Cryptojacking

Earlier this year erroneously configured Amazon (S3) Simple Storage Service leaky buckets proved easier than ever to penetrate. Since AWS S3 access control configuration is incredibly complex, accidental public exposure is all too easy to allow by simply granting access to authenticated AWS users, which is effectively every AWS user in the world, not just those in your own organization. AWS S3 buckets have been spilling info for years, so much that a search engine to find exposed clouds has been developed known as the BuckHacker.

Leaky Amazon AWS S3 buckets are the prominent cause for the recent cryptojacking occurrence at “The Homicide Report” on the LA Times website. In addition, even real life Tony Stark, Elon Musk, fell victim to crypto mining from compromised Kubernetes containers in Tesla’s AWS S3 environment, according to a RedLock report. The Bad Packets Report suggests that nearly 400 websites have sloppy cloud infrastructure security due to Drupal vulnerabilities including the San Diego Zoo, Lenovo, UCLA, and a US federal government agency.


"Los Angeles Times' website has been silently mining crypto-coins using visitors' web browsers and PCs for several days."
-The Register, Feb 2018

Companies must take heed of these cautionary tales of woe and increase their attention to the code running on your website and, if using a megacloud vendor’s services like Amazon AWS S3, ensure that they take the required time out of their day to set up and double check the right permissions. For some entities, even large conglomerates, the DIY model of creating a cloud infrastructure in the megacloud can be a daunting task. As your dad likely said measure twice cut once. This adage can be applied to the idea of cloud services, in that it’s always better to have an expert cloud service provider (CSP) on your side, at least to double check your plans.

Along with properly managed cloud infrastructures, a holistic cloud backup strategy can be the enemy of the cryptojacking, as it is with the ransomware model. Cloud backup and disaster recovery (BDR) strategies should leverage the 3-2-1 Rule and store your backup data within a compliant cloud vault outside of your network. Best practice states that deduplication and compression assist in security and backups should always be available for expedient restores until your planned retention time expires.

Your cloud BDR solution should also include a point in time for your restores, ideally choosing from a history of frequent backups allowing for granular restores from any previous backup. It's always more efficient to state which files should be restored from which backup, rather than restoring every file to an older backup. The ability to quickly restore from cloud-based backups is an essential benefit to partnering with a custom cloud service provider.


Endpoint and Mobile Cryptojacking

Cryptojacking isn’t just a web server concern for IT admins but it is also hitting mobile and endpoint devices right where it hurts—battery life. This technique involves the use of scripts running on mobile versions of web pages or in mobile apps. Since exposed users are generally unaware that the script is running on their device, mobile coinmining tends to find more success because people don’t usually close browsers on their mobile device – they’ll just leave it in the background as they swap to different apps. These scripts can drain smartphones so drastically that, in some cases, overwork the hardware to the point of data loss or permanent device failure.

It’s the nature of the beast that employees will store data on laptops, tablets, desktops, and smartphones – so how do you secure and protect endpoint devices without compromising business information? Backing up endpoint devices is now more critical than ever to your business. You’ll need a comprehensive solution to protect a mobile device’s data by capturing it and backing it up to a secure cloud while providing federated search capabilities and enabling RTO/RPO plans in case of data loss or corruption.


“… the dispersion of data — which can now be stored across millions of endpoints and cloud applications — is causing heightened concern within the enterprise.“
- IDC

With the growth of BYOD in the workplace and an average of 3 devices per employee, the potential for cryptomining is enormous. It’s likely we’ll begin to see mobile botnets mining cryptocurrencies, as a sufficient mass of mobile zombies can amount to significant computing power. More sophisticated mobile mining scripts exist to allow full-blown mining when they are attached to a power source, as to not alarm the victim with a suspiciously large drop in battery performance. Since most people don’t pay attention to their phones if they have them plugged in and charging, the mobile cryptominer can remain unnoticed for even longer.


Cryptojacking Solutions

Remember, not only can a company’s website be compromised, but the computers, phones and endpoint devices of employees can be at risk as well. Businesses should pay attention to this trend of hijacking company resources to mine cryptocurrencies since consistent reports are surfacing that vast numbers of organizations were or are affected by cryptojacking. Depending upon whose stats you’d like to embrace the story remains the same, malicious cryptocurrency coinmining is not just a user concern, it’s now the IT Admin’s burden.


“Cryptojacking malware has grown considerably in recent months, affecting 42% of organizations worldwide in February.”
— Check Point Global Threat Index February 2018

When it comes to thwarting cryptojacking, there’s no panacea. Just like protecting yourself against ransomware, you need to take a holistic approach to data protection. Stay proactive about your web server and cloud security, practice comprehensive cloud backups and endpoint protection then you can greatly reduce cryptojacking threats. Likewise, do your homework on whichever cloud-based service you decide to use. Find out where the servers are located and who, if anyone, has access to them.


“25% of organizations currently have cryptojacking activity in their environments.”
— RedLock Cloud Security Trends 2018

Here at KeepItSafe, we help customers and our partners thru numerous data protection situations including compliance, ransomware, and cryptojacking threats. A critical part of being resilient against cryptojacking is being able to backup and recover. Data availability is what you want when things don’t go as planned, should cryptojacking become an issue in your data center.

At the bare minimum, organizations should ensure all their systems are patched up to date because many cryptojacking attacks are being enabled through exploit kits that provide standard exploits for commonly used business software. Additionally, it’s important to note that a one-size-fits-all backup tool does not fit anyone; only a custom cloud backup strategy can protect your infrastructure. In addition to embracing a holistic backup and disaster recovery strategy, here are some recommended security measures to avoid cryptojacking:

  1. Of course, maintain a strong user password policy.
  2. Use the 3-2-1-Rule with cloud backup,
    • The 3-2-1 rule states to have three different copies of your media, on two different media, one of which is off-site.
  3. Keep your webservers and devices patched to minimize the risk of exploit-related attacks.
  4. Protecting server credentials,
    • Best practice to secure servers is to make use of an encrypted SSH key pair instead of a password.
  5. Mitigation using real-time monitoring of the webpage,
    • Monitor the Web page DOM and JavaScript environments for injections and report back change detections.
  6. Protect your devices with antivirus, anti-malware, and adblocker tools, since antivirus is not enough protection,
    • Ad blockers are ramping up detection and prevention support for blocking Coinhive's JS library.
  7. Use an endpoint security management technology to ensure that rogue mobile apps aren’t present on your devices,
    • Ad blockers are ramping up detection and prevention support for blocking Coinhive's JS library.
  8. Implement browser extensions to scan and terminate anything that looks like Coinhive's miner script,
    • Chrome extensions now exist from AntiMiner, No Coin, and minerBlock.
  9. Educate your team:
    • Cryptomining is not an acceptable use of company resources or power.
    • Explain traditional attack vectors of malware such as phishing and how they can protect themselves.
  10. Keep an eye out for the tell-tale signs that you’ve been cryptojacked:
    • Slow network.
    • Soaring electricity bill.
    • Spike in CPU consumption.

Readers of this blog post are also interested in this webinar:

Data Protection, Disaster Recovery, and Ransomware Protection with DRaaS

Get Your FREE
Market Analysis Brief!


Disaster Recovery Planning

Download a free Planning Guide

“Storage Switzerland details DR Planning from Good to Great”