What Is Cryptojacking?
Cryptojacking is the unauthorized use of someone’s computer to mine cryptocurrency. This is typically done by installing malware on the victim’s computer that uses their processing power to mine cryptocurrency without their knowledge or consent.
Cryptomining can slow down the victim’s computer and cause it to use more electricity, potentially leading to higher electricity bills for the victim. Cryptojacking is a form of cyber attack and is illegal in many countries.
This is part of a series of articles about application security.
In this article:
How Does Cryptojacking Malware Work?
Cryptojackers often bait users into clicking on links in phishing emails and downloading malicious code to their devices. Another approach is to infect websites using cryptojacking command lines embedded in HTML code—this code then runs the mining program automatically when the user opens the infected webpage.
Some types of cryptojacking malware can even pass the virus to additional devices. In some cases, attackers can benefit from the large computing resources of a server farm for free.
Cryptojacking attacks don’t usually involve the corruption or theft of personal data. The main objective is to access and utilize the machine’s computing power. Hackers have an incentive to remain undetected because the longer the mining program runs, the more cryptocurrency they can obtain.
The Impact of Cryptojacking
The main way that cryptojacking impacts a victim’s computer is by slowing it down and causing it to use more electricity. This is because the malware installed on the victim’s computer will use their computer’s processing power to mine cryptocurrency.
Cryptojacking malware can strain a computer’s hardware, cause it to overheat, and might shorten its lifespan. In addition, having malware installed on a computer can leave it vulnerable to other attacks.
Cryptojacking Attack Methods
There are two main types of cryptojacking attacks:
- Web browser-based attacks involve using a website or online ad to deliver the cryptojacking malware to the victim’s computer. When the victim visits the website or clicks on the ad, the malware is automatically downloaded and installed on their computer. This type of attack is known as “drive-by cryptojacking” because the victim’s computer is compromised simply by visiting a website.
- Host-based attacks involve installing the cryptojacking malware directly on the victim’s computer. This can be done through a variety of methods, such as sending the victim a malicious email attachment, using a fake app or game that contains the malware, or compromising the supply chain of a legitimate software provider and inserting the malware into the software.
Coinhive was designed to be a legitimate way for website owners to generate revenue from their websites without relying on advertising. However, it was widely used by attackers to deliver cryptojacking malware to victims’ computers without their knowledge or consent. Eventually, Coinhive was shut down in March 2019 due to declining user interest and increasing regulatory scrutiny.
WannaMine is a type of malware that is used in cryptojacking attacks, first discovered in 2018. It is typically delivered to victims’ computers through a phishing email that contains a malicious attachment. When the victim opens the attachment, the WannaMine malware is installed on their computer. The malware then uses the victim’s computer to mine the Monero cryptocurrency.
In addition to mining cryptocurrency, WannaMine is also designed to spread itself to other computers on the same network. WannaMine v4.0 is the latest version of the WannaMine malware. It was discovered in 2020 and is known for using multiple methods to avoid detection and removal. It is also capable of stealing sensitive information from the victim’s computer.
FaceXWorm uses social engineering to trick Facebook Messenger users into clicking fake YouTube links. They arrive at a fake site that urges users to download a Chrome extension to view the content—this extension hijacks their Facebook account and connects them to a network of friends, to allow the worm to spread. In addition, it deploys the FaceXWorm malware and starts mining cryptocurrency on their device.
FaceXWorm does not only hijack a user’s device to mine cryptocurrency. When users try to log in to certain sites, such as Google or MyMonero, their credentials are hijacked, and they are redirected to fake platforms that require the user to pay cryptocurrency. As part of this process, the worm leverages the user’s credentials to transfer large amounts of cryptocurrency to the attackers.
Black-T is a cryptojacking malware variant created by TeamTNT, a cybercriminal group that targets AWS credentials on compromised systems and mines for Monero currency. Traditionally, TeamTNT targeted APIs with exposed Docker daemons and scanned for vulnerable systems to carry out cryptojacking attacks.
However, the Black-T code provides enhanced capabilities, including targeting and blocking previously unknown cryptojacking worms like the Crux worm and ntpd miner (a redis-bakup cryptominer). It also uses password scraping operations in memory with mimipenguins and mimipy, identifying passwords and exfiltrating them to the TeamTNT control center.
Black T can also extend the group’s cryptojacking efforts by combining different network scanners to identify Docker daemon APIs in the target network, including in local and public networks. These include pnscan, masscan, and zgrab—the first time TeamTNT has used a GoLang tool.
Best Practices for Detecting and Preventing Cryptojacking Attacks
The following best practices can help detect and prevent cryptojacking in your organization:
- Keep computers and web browsers up to date—make sure that devices and web browsers are always running the latest version, as these updates often include security fixes that can protect against new forms of malware.
- Use a reputable anti-malware software—install and regularly update antivirus and security software on all devices to help protect against malware and other threats.
- Educate users to be cautious when opening emails and attachments—emails and attachments from unknown sources are often used to deliver malware, including cryptojacking.
- Prevent unauthorized downloads—implement company policies and content filtering systems to ensure users can only download legitimate, approved software.
- Use ad blockers—consider using a reputable ad blocker to protect against drive-by cryptojacking attacks that use online ads or popups.
- Use zero-day protection—zero-day protection involves using software or other technologies to protect against new and unknown threats that have not been seen before. This can help protect against new forms of cryptojacking that are not yet recognized by traditional antivirus and security software.
- Implement strong authentication—strong authentication involves using multiple methods to verify a user’s identity before granting them access to a system or network. This can help prevent access to sensitive systems by cryptojacking malware.
- Protect cloud resources—the cloud can provide large-scale resources for cryptojacking. If you use cloud computing services, make sure to properly secure cloud resources to prevent unauthorized access—implement strong authentication, encrypt data in transit and at rest, and regularly update your security software and settings.
- Use anti-bot protection—anti-bot protection involves using software or other technologies to detect and prevent botnets, which are networks of compromised computers that are often used to distribute malware. Anti-bot protection can help prevent malware from spreading to a computer or network.
Cryptojacking Attacks in Cloud Native
Hackers compromise cloud accounts to create distributed cryptomining workloads—they compromise vulnerable and misconfigured cloud computing resources and use it for cryptomining, overloading systems and resulting in higher charges for cloud services.
For example, the Romanian hacker group Outlaw compromises Linux servers and Internet of Things (IoT) devices by using default or stolen credentials and exploiting known vulnerabilities to launch DDoS attacks or mine Monero currency. Another group, TeamTNT, is more sophisticated, targeting software service vulnerabilities—it claimed it would stop operating but ramped up its attacks instead.
Another group responsible for many cryptojacking exploits in the cloud is Kinsing. It quickly targeted the Log4j vulnerability to compromise cloud native environments. Other hackers have discovered ways to exploit free-tier services for continuous integration and continuous deployment (CI/CD) pipelines. They target Azure DevOps, CircleCI, BitBucket, GitHub, and GitLab to combine transient workloads into cryptomining cloud services.
Securing Cloud Native Applications with Aqua Security
Aqua replaces outdated signature-based approaches with modern controls that leverage the cloud-native principles of immutability, microservices and portability. Using dynamic threat analysis, machine-learned behavioral whitelisting, integrity controls and nano-segmentation, Aqua enables modern application security protection across the lifecycle.
Aqua’s full lifecycle security approach provides coverage for all clouds and platforms, integrating with enterprises’ existing infrastructure and the cloud native ecosystem.
Secure the Build
Accelerate development by detecting security issues in your artifacts early and shortening time to remediate. “Shift left” security into the CI/CD pipeline, get full visibility into the security posture of your pipeline and reduce the application attack surface before application deployment.
Secure the Infrastructure
Enforce compliance across the stack, gain real-time visibility and control over your security posture. Monitor, detect, and automatically remediate configuration issues across public cloud services and Kubernetes clusters. Ensure conformity with CIS benchmarks, PCI-DSS, HIPAA, GDPR and other regulations.
Secure the Workloads
Protect applications in runtime using a zero trust model, with granular controls that accurately detect and stop attacks. Unify security across VMs, containers, and serverless on any cloud, orchestrator, and operating system. Leverage micro-services concepts to enforce immutability and micro-segmentation.
- Vulnerability scanning: Scan CI pipelines and registries, container images, VM images, and functions. Find known vulnerabilities, malware, embedded secrets, OSS licensing, configuration, and permissions issues and prioritize based on potential impact
- Dynamic Threat Analysis: Detect and mitigate hidden malware and supply chain attacks in container images using a secure sandbox
- Cloud Security Posture Management (CSPM): Continuously audit cloud accounts and services for security risks and auto-remediate misconfiguration
- Container Security: Use scan results to set policies for image deployment and prevent the use of unapproved images. Mitigate known vulnerabilities with Aqua vShield, preventing exploits with no code changes. Enforce container immutability by preventing drift against their originating images