The Malicious Side of Cryptomining
Last month, we covered blockchain technology and how it relates to cryptocurrencies. Cryptomining is the process of generating new units of a cryptocurrency. Examples of cryptocurrencies include Bitcoin, Ethereum, and Monero. As a process, cryptomining is a computationally intensive and expensive in terms of the electricity required. In an ideal world, cryptominers use their own machines to perform this expensive process. However, whenever people are faced with an opportunity to make more money at a lower cost, there’s a good chance they’ll pursue it. “Cryptojacking” is a malware threat in which cryptomining software is installed and hidden on a victim’s computer. By stealing computing resources for cryptomining, the hacker gains all of the cryptocurrency rewards, while the victim suffers from a degradation in computer performance and is left with the power bill. Unlike ransomware attacks, which are overt and can’t be ignored by victims, cryptojacking is covert and steals from victims over a longer period of time.
Typically, an attacker won’t infect one single computer. In 2018, Nick Biasini, Edmund Brumaghin, Warren Mercer, and Josh Reynolds of Cisco’s Talos Intelligence blog—with help from Azim Khodijbaev and David Liebenberg—wrote that pool-based mining was “seen most frequently leveraged by attackers as it allows for the greatest amount of return on investment and the required mining software can be easily delivered to victims.” Pool-based mining uses multiple computers to generate a greater amount of cryptocurrency units. The more infected machines, the greater the revenue for an attacker.
Common methods of infecting as many victims as possible “include spam campaigns, exploit kits, and directly via exploitation,” according to Biasini et. al. However, attackers will sometimes use a Trojan horse approach. Biasini et. al. “found miners purporting to be anti-virus software.” Last month, Dan Goodin of Ars Technica reported about malicious “warez” (pirated software) hosted on Atlassian Bitbucket, a code repository similar to GitHub. The warez were discovered by Cybereason, a security firm. Malicious cryptominers and other types of malware, including ones that steal from cryptocurrency wallets, were disguised as tools such as versions of Adobe Photoshop without copy protections. The cryptominers were made for mining Monero, an “extremely privacy conscious” alternative to Bitcoin, which “governments have started to scrutinize … more closely” as noted by Biasini et. al. in 2018. Cybereason discovered that there were over 500,000 downloads of the warez, which implies that over half a million individuals were tricked into becoming a part of a cryptojacking operation.
In addition to individuals, small businesses are vulnerable targets of cryptojacking. In a 2018 Cisco report about cybersecurity for small- to mid-sized businesses, the company noted that “[f]or small/midmarket businesses unwittingly aiding illicit cryptomining operations, slower system performance might be the only red flag signaling they’ve been compromised—unless they have the right technology in place to detect when cryptomining activity is present.” Cisco’s report explains that smaller businesses are attractive targets for cybercriminals due to having security infrastructures that are less robust than big tech companies. The budgets of small- to mid-sized businesses are limited as-is; an IT infrastructure bogged down by hidden cryptominers is an unwelcome expense. A good cybersecurity policy would advise against downloading suspicious software and encourage regular system inspections to weed out unwanted cryptominers.