By Jörg Schauff, Threat Intelligence Advisor at CrowdStrike
Cryptojacking is a serious cyber threat to a company’s productivity and security. In 2021 alone, the volume of cryptojacking attacks has quadrupled compared to the previous year, according to the observations of the CrowdStrike OverWatch team, underlining that the unauthorized use of a person or organization’s computer resources to mine cryptocurrencies is becoming increasingly popular.
Jörg Schauff, Threat Intelligence Advisor at CrowdStrike
This development is not surprising, because the prices of cryptocurrencies have skyrocketed in recent months, so that more and more eCrime attackers have included cryptojacking in their toolset in order to financially benefit from the boom. After all, what is the number one goal in the eCrime cosmos: Money, money, money! And cryptojacking is another tool in your arsenal for obtaining payments anonymously after a compromise. Therefore, given the current threat landscape, it is likely that the number of victims of cryptojacking will continue to increase.
Cryptojacking programs can be malware that is installed on the victim’s computer through phishing, infected websites or other methods that are common in malware attacks, or they can be small pieces of code that are inserted into digital ads or web pages and only work when the victim visits a specific website. Cryptojacking not only affects the performance of systems and consumes an excessive amount of energy, but most importantly points to a bigger problem: gaps in the existing security strategy.
Cryptojacking is not a phenomenon that affects only a specific industry, but according to the OverWatch experts, it currently extends to 14 different industries, from the education sector to the automotive sector to retail.
The wide range of target industries shows that no company is safe from cryptojacking attacks. In addition, the increase in incidents confirms that cryptojacking actors continue to act opportunistically.
Especially in times where cryptojacking activities can be carried out relatively easily – even for non–sophisticated attackers – when IT security has serious gaps. As a rule, the illegal cryptojacking applications do not require extended permissions and can be installed from standard accounts. In addition, many popular cryptojackers have browser extensions, so their installation runs very quickly and easily in the background. In addition, most mining applications have a minimal code base. Coupled with the fact that the necessary disk operations are very simple, attackers can quickly write a cryptojacking code to disk that will fit into legitimate scripts. In addition, cryptojacking applications are usually platform-independent, so that attackers can reuse the code for multiple operating systems. And finally, attackers can circumvent network-based defense measures by integrating their requests into everyday telemetry data and hiding the payload data through encryption or obfuscation.
For security teams that have limited resources and a limited overview, it is often difficult to effectively combat cryptojacking – but with these tips, you too can effectively counter the risk:
- Pay attention to strict IT security hygiene. IT hygiene is a basic prerequisite for security. Regular patches for vulnerable applications and operating systems as well as the protection of privileged user accounts are important measures for an optimal security situation.
- Implement a state-of-the-art, next-generation Endpoint Protection (EPP) platform. Organizations must be able to prevent and detect all threats, including known and unknown malware, as well as identify in-memory attacks. This requires a solution that includes next-generation AV protection and endpoint detection and response (EDR) to prevent attacks and maintain complete visibility across the entire environment.
- Rely on Threat Hunting: Threat hunters are particularly good at proactively looking for early signs of cryptojacking activity, understanding the context of the activities, and determining how comprehensive the attack is.
- Learn from an attack and close security gaps: After an incident, security teams need to understand what happened, why it happened, and make sure it doesn’t happen again.