2022 has seen a slowdown for the cryptocurrency ecosystem, as well as a decrease in demand for cryptocurrency-related activities like cryptomining. Even before the catastrophic implosion of the FTX cryptocurrency exchange, multiple market bubbles (from failed exchanges other than FTX) and events like Ethereum’s highly anticipated transition from proof of work to proof of stake have dampened enthusiasm for cryptocurrencies.
Despite this, we’ve seen growth in cryptocurrency-related cybercrime, like cryptojacking all year. Cryptojacking specifically remains one of the most common and dangerous types of cyberattacks targeting both individuals and organizations alike. Read our brief primer on what cryptojacking is, why it persists, and how to protect yourself from it.
What is Cryptojacking?
Simply put, Cryptojacking is the theft of computational resources for the purpose of mining a cryptocurrency. Many cryptocurrencies rely on a process called proof of work which generates new tokens by rewarding nodes, known as miners, for using computing power to create arbitrary hashes. When hashes are created, new coins are brought into existence. Depending on the market cap of a particular currency (or the volume of a miner's output) mining can be a very profitable enterprise.
There are extensive costs to mining, like electricity and compute resources, which scale with the amount of compute needed to produce tokens. While mining something with the market cap of Bitcoin can be profitable, the amount of resources that need to be invested to do so can be extensive. This is what incentivizes threat actors to “offload” the cost of compute onto unsuspecting individuals, either through malware that takes over their hardware or through the theft of cloud compute account credentials. Not every cryptocurrency can be mined. Ethereum, for example, which up to this year relied on a proof of work algorithm, has moved to an algorithm that doesn’t require extensive computation to generate new tokens. And technically, while Bitcoin is mineable, Bitcoin's proof of work algorithm makes it increasingly cost-prohibitive to mine using anything other than an ASIC (application-specific integrated circuit) miner. This is why Bitcoin mining has become consolidated among existing mining pools and is almost never pursued in cryptojacking campaigns.
Still, cryptocurrency is an ever-expanding universe of tokens, with new coins coming into existence every day. So long as some percentage of these tokens rely on proof of work or other similar algorithms to generate tokens, cryptomining will be profitable. This is because, for many threat actors, the calculus behind cryptojacking remains pretty simple. As long as they aren’t the ones paying for compute, even mining an obscure cryptocurrency with a tiny sliver of Bitcoin’s value can be profitable.
How much is cryptojacking growing?
Recent research gives us reason to believe that cryptojacking is on the rise. Atlas VPN found that in Q3 2022 alone, cryptojacking saw nearly 4x growth. These findings seem to be corroborated by research conducted by Kaspersky which found triple growth in new variants of cryptojacking miners in Q3. Kaspersky has even noted that some major ransomware operators have switched gears to focus exclusively on cryptojacking. Similarly, there are estimates that the cryptojacking solutions market will continue to see strong growth into 2030.
How does cryptojacking occur?
Like ransomware, and other sophisticated types of cyberattacks, threat actors have a wide number of ways they can carry out cryptojacking-related attacks.
Cryptojacking endpoints
Targeting insecure endpoints is one of the most common ways of carrying out cryptojacking. Threat actors effectively install software that is programmed to route some of the hardware’s processing power for mining. This is often accomplished through:
- Software vulnerabilities. If a device is running applications that haven’t been patched or that have unknown zero-day vulnerabilities, then this provides a vector for a threat actor to install a cryptojacker onto a device.
- Malware. Malware remains a popular way of getting malicious programs onto target devices and can be bundled with applications that are actually desired by a user like pirated content.
- Phishing. Phishing can be thought of as a subset of malware. Often, threat actors trick users into installing a fake version of an application they want. For example, a recent campaign, earlier this month, involved duping users into installing a modified version of MSI afterburner. This is a free utility by Micro-Star International used by hardware enthusiasts, like PC gamers and DIY PC builders, to monitor and tune their PC components. Emulating or repackaging Afterburner is a logical tactic because this is a program that is intentionally designed to have hardware-level access to a device.
- Supply chain attacks. Similar to phishing, supply chain attacks targeting open-source registries like NPM and PyPi have embedded malware into the tools that software developers use, potentially leading to them deploying cryptojackers into their applications and services.
Cryptojacking public cloud accounts
Accessing an organization’s cloud compute infrastructure can be a boon, as cloud resources can scale with a threat actor’s needs, this is often accomplished by:
- Leaky code repositories. Code repositories have been an attack vector in a wide range of hacks, which we’ve documented before. This is because code repositories can often contain hardcoded secrets. These are passwords and API keys that unlock other accounts and services (such as AWS). Developers may unintentionally hardcode secrets, allowing anyone who has access to a repo to view and copy them. Even if a repository is private, this poses a risk in the instance the repo is compromised. Watch the video below for an illustration of how hackers have used code repositories in different kinds of hacks:
[youtube:dmSk8X4pJgE]
- Supply chain attacks. Cryptojackers deployed through open-source registries can not only hijack hardware, but be hardcoded to exfiltrate system information and environmental variables. For example, DataDog notes that one malicious PyPI package, when deployed, steals AWS access keys through HTTP requests on the target machine.
- Vulnerabilities. Some attacks rely on targeting infrastructure that’s already exposed. For example, the Kiss-a-Dog cryptojacking campaign analyzed by CrowdStrike last month revealed a campaign explicitly targeting exposed Dockers and Kubernetes containers that were internet-accessible.
How can you protect yourself from Cryptojacking?
To protect your devices from cryptojacking:
- Always be mindful of what you’re downloading. You should stick to downloading apps and application updates from legitimate sources, like your device’s app store, that are less likely to have cryptojackers embedded in them.
- Keep your devices and programs up-to-date. Make sure to regularly apply patches and updates to your operating system as well as any applications running on your device.
- Run an up-to-date security manager on your devices. Whether you’re managing your own device or managing devices for your employees, you’ll want to have an endpoint agent that can provide you visibility into the tasks running on your device, while helping you keep your system up-to-date. Read section B of our Security Playbook for Remote-first Organizations to learn more about the security solutions you can deploy to protect your devices.
To protect your cloud accounts from cryptojacking:
- Invest in a solution to protect your secrets. Secrets leakage has resulted in privilege escalation of a number of data breaches. This means it’s imperative for you to monitor your systems for credentials, passwords, API keys, and more. Many organizations rely on Nightfall to continuously scan their systems for such findings, in order to prevent threat actors from leveraging these in the event of a security breach. Read our newest guide on how to remove secrets from your environments so that they can’t be used by threat actors.
- Monitor SaaS/cloud user accounts for suspicious activity. You should regularly monitor logs and user activity for cloud accounts and services in order to ensure you’re aware of what activity is happening within these systems. You can also invest in security tools that provide user behavior analytics within these platforms.
- Rotate your secrets and change passwords regularly. Make sure to regularly change passwords and rotate secrets that are currently in use. This practice reduces the odds that a particular credential or secret will be useful in the event a threat actor gets a hold of it.