If 2017 was the year of Ransomware, 2018 may well be known as the year of Cryptocurrency Miners.  Crypto mining in and of itself is neither malicious nor a security event. However, the same tools and domains that any random individual may use to legitimately mine their own crypto are also being used by botnets to infect your computers and mine crypto for cybercriminals. A mode of illicit mining that is making a rapid come back is exploiting your browser sessions to mine crypto when you visit an infected website.

Browser-based mining, or drive-by mining, nearly died off since making an appearance on the hacking scene in 2011. With the rapid increase in bitcoin value and the rise of a variety of alternative crypto currencies, cyber criminals are again finding it both a relatively safe and lucrative way to generate money.

Rather than targeting an individual computer or work station that are often protected by strong endpoint protection or within an enterprise network, hackers compromise websites in which they inject a small amount of code. When you visit such a website the code executes and uses your browser’s processing power to mine crypto so long as you stay on the site.  Often this will result in significant slow-down in your webpages loading or download speeds. This increase in processing power puts a heavy load on the CPU and can thereby decrease the life of your computer.

One of the most common illicit crypto miners is Coinhive. While not exclusively malicious, this miner is among the most commonly seen “bad” miners. Coinhive is specifically designed to use a website and browser to mine crypto. The “legitimate” use is for website owners to generate side-revenue by installing Coinhive and using website visitors processing power to generate Monero. Monero is a cryptocurrency that is designed for the privacy minded as it allows transactions to be done anonymously; as you might imagine, it has quickly become a favorite in the cybercrime arena. 2017 research into Coinhive indicated that it was active on over 30,000 websites and generates over $150,000 in Monero each month. A number that has likely increased now that hackers are using it illicitly.

The thing is, crypto mining is an interesting dilemma for companies and website owners.  Clearly, you do not want it found on your network or website – unless you intentionally put it there.  But the damage it does is relatively minor.  Yes, it costs you money in terms of increased electricity usage and eats up your bandwidth, but there is little to no risk of data loss or remote access for hackers. In the current security environment, CISO’s and their information security teams are heavily focused on decreasing the risk of data breaches. This alone is more than enough to keep a security team busy full-time.  So when it comes down to making decisions based on priorities and risk assessments, it may be that organizations are less likely to put significant emphasis on protecting themselves from crypto mining.

It appears that hackers realize this and there is a lot of discussion in the community now about the possibility of cyber criminals abandoning Ransomware and focusing on crypto mining. Crypto mining makes hackers close to the same amount of money (if not more) than ransomware while exploiting a questionably legal (as opposed to blatantly illegal) methodology. It also can remain active longer than ransomware as it is not designed to be loud and draw attention; thus increasing the amount of time it can stay active and produce currency. Essentially, it is lower risk, higher reward than ransomware.  It’s almost a no-brainer for hackers.

Impact

So if Crypto mining is lower risk, why should you care and what should you do about it?  Well, as mentioned it still costs you money and it is still unauthorized access on your network (particularly when a botnet infects your system or your website is hijacked. There needs to be consideration for crypto mining malware and activities included in security plans.

Mitigation

  • Train your staff only visiting legitimate, well-known websites to the extent possible. Drive-by Mining primarily occurs on more obscure websites.
  • Ensure your security monitoring and detection rules include crypto mining indicators.
  • Update your anti-virus and end-point protection software
  • Investigate unexpected or inexplicable increase in CPU usage

About Security On-Demand
Security On-Demand is an industry pioneer and recognized innovator within the managed security space. We are leading the industry in threat detection through behavioral analytics and machine learning.

Back to the Blog   Subscribe to the Blog
Sources

PCMag

Symantec

Contact Us

We're threat hunting! Send us a quick email here and we will get back to you asap.

Not readable? Change text. captcha txt

Start typing and press Enter to search