Cryptomining Rapidly Advances as Online Threat

Few online threats have grown as rapidly as cryptojacking, the use of scripts that process cryptocurrency blockchain operations on a compromised computer.  This stealthy malware increased 4000% in 2018 according to a McAfee Labs report.  Easily embedded, broadly cross-platform and with a low risk of punishment or discovery cryptojacking has provided a massive new opportunity for cybercriminals.

A plethora of cryptocurrencies have entered the market since the introduction of bitcoin.  While the internal algorithms and minted quantities of cryptocurrencies differ, all major platforms use distributed mathematical computation to keep accurate ledgers with blockchain technology.  The cost of electricity is a major limiter in the profitability of a cryptocurrency mining operation.  The cryptocurrency reward for volunteering computing power to ledger calculations diminishes unless a given host is powerful enough to outcompete other potential calculators for solving a sufficient portion of a given ledger segment.  Massive dedicated blockchain mainframes are a significant energy drain and the arms race of securing cryptocurrency payment for processing ledger calculations is difficult to enter without massive overhead.  Just as with the harnessing of massive numbers of IoT devices to form malicious DDoS botnets however, the ease of ensnaring a distributed network of computers to perform the mathematical calculations at the bidding of a central controller allows a single operator to reap the profits from the electricity use and processing power of others’ computers.

Originating in late 2017 when the Coinhive hacking group created a software routine easy to embed in almost any website, cryptojacking has developed into two broad categories of exploits that mutate faster than current detection or prevention methods can address.  Large cryptojacking packages may include built-in exploits for various operating systems and, tellingly, lists of other cryptojacking programs that they uninstall to ensure unfettered use of processing resources.  This malware is commonly embedded in spam emails and hidden in classic phishing exploits like downloadable PDFs.  One cryptojacking implementation even included code to ensure it paused operations when the mouse was active so as not to overtly alert users to system slowdown from the strain on the processor.  Widespread proliferation of cryptojacking programs embedded as Javascript apps are running on countless webpages, making any visitor to that website a participant in blockchain processing activities.  Less detectable than embedded cryptojacking programs and easily dispersed through website use, browser cryptojacking has spread seemingly unconstrained.  Browser cryptojacking has engulfed websites so rapidly the Opera, Chrome and Firefox web browsers have made efforts to curtail the malicious scripts or limit the processing power used by embedded Javascripts.

Almost any internet-connected device can be harnessed into a cryptojacking scheme.  IoT devices, a long-standing headache to network administrators, are easily enlisted into a cryptojacking network with scripts that crawl the web looking for vulnerable endpoints.  Tablet computers, mainframes and employee desktops have all been infected and utilized in mining schemes.  The Radiflow security firm found an aggressive cryptojacking program embedded in the control systems of a European water utility, degrading performance.  Any access to the internet can turn a user into a vulnerability if the webpage they access uses their processor for cryptojacking operations during their stay.  The Somominru cryptojacking botnet infected massive numbers of computers in India and Russia, earning $3.6 million USD for the bot herders from mined Monero cryptocurrency.  Cryptojacking botnets often target less notorious but still lucrative cryptocurrencies such as Monero, a darling of cryptojacking programmers.  Staying hidden and running operations with as little interruption as possible make cryptojacking a unique cybersecurity threat.

Largescale ransomware attacks are easier to intercept and block than embedded Javascript code.  Cryptojacking also comes with a more consistent return on investment.  Hackers frequently do not collect ransoms for a successful ransomeware attack, but every bit of computing power utilized by a browser or installed cyptojacking package will earn a return if the network is large enough.  Exploits vary in severity and level of compromise to the host system but often the damage is limited to an increased electricity bill and stress on a processor.  In comparison to a locked hard drive or the illicit download of major databases cryptojacking exploits are much more difficult to detect and if sufficiently hidden may not create enough distress to warrant the attention of heavily-taxed IT staff.  Major web browser and cybersecurity groups are taking note of the cryptojacking phenomenon following its banner year in 2018.  Currently the wide dispersal of the exploits makes them difficult to fully root out.  Diligence about used bandwidth and processing power is still one of the most reliable indicators to professionals that an exploit is compromising their system.  After years of sophisticated and damaging ransomware attacks the popularity of cryptojacking represents a pivot to the stealthy use of distributed malware services in our still-expanding reliance on the internet.

About the Author

Alexander Hutchins

Alexander Hutchins focuses on cybersecurity issues and has competed in a number of cyber defense competitions and simulations. Aside from his technical expertise, Alexander maintains experience in the pharmaceutical sector. He earned his BS in Journalism and Mass Communication from Iowa State University.

Contact Expert