Breach Preparedness , Cybercrime , Data Breach

Cryptojacking: Mitigating the Impact

How to Deal With the Growing Threat of Browser-Based Cryptocurrency Mining
Cryptojacking: Mitigating the Impact

Cryptojacking, the infiltration of malware to enable browser-based mining of cryptocurrencies on infected websites, is on the rise. What can be done to minimize the impact of these intrusions, which can lead to poor device performance, high electricity use and even potential damage from overheating?

See Also: Live Webinar | Benchmarking Your Organization's Security Performance with Security Ratings

Among the key steps that can be taken are: using browser extensions that block mining scripts, adopting the browser isolation model and carefully monitoring endpoint devices' use of resources (see: How To Shield Browsers From Bad Guys)

Cryptocurrency Mining

Cryptocurrency mining refers to solving computationally intensive mathematical tasks, which are used to verify the blockchain, or public ledger, of transactions. As an incentive, anyone who mines for cryptocurrency has a chance of getting some cryptocurrency back as a reward. Some miners hack into computer systems and install malware to enable them to get extra computing power.

In many recent cryptojacking incidents, according to research by Bad Packets Report, the main culprit has been a JavaScript API called Coinhive. That API has since been cloned for other miners, including CoinImp, Minr and deepMiner.

Coinhive's website provides a number of legitimate use cases for mining Monero digital currency in the browser, including, for example, creating a new revenue stream that enables an ad-free experience. But in most cases, cryptocurrency mining is unsanctioned, and those whose computing power is being used are unaware of the intrusion until they see a slowdown in performance or a significant increase in electricity consumption.

Since September 2017, about 50,000 websites have been hit with mining malware, with over 80 percent of these unsanctioned intrusions using Coinhive's script, according to the Bad Packets Report. In February, for example, a single cryptojacking attack in the U.K. infected over 5,000 websites.

Although many cryptojacking incidents are browser-based, in March, Apple removed a Monero-mining calendar app from its Mac App store after errors in the software caused the mining program to run indefinitely. The app also used significantly more than the planned 10 percent to 20 percent of a Mac's computing power.

A Victimless Crime?

The damage caused by cryptomining is nowhere near as egregious as that caused by other forms of malware.

"Cryptojacking is not a victimless crime, but, it does come close to that because it does not steal your data, spy on you or stay persistent on your computer," says Nick Bilogorskiy, cybersecurity strategist at Juniper Networks. "It is a relatively lightweight attack and uses the spare capacity of your CPU and your power grid, so as long as you are not paying extra for those things, there is no damage to you and virtually no cost to cryptojacking."

Troy Murch, a security researcher at Bad Packets Report, notes: "Affected users will notice their device slowing down due to the high CPU usage in addition to higher electricity bills. This process also generates a lot of heat, and we've seen physical damage in some cases with mobile devices."

What's the Fix?

One way to diminish the impact of cryptojacking is to use browser extensions to block cryptojacking scripts, although some of these could be too heavy-handed.

"At the browser level, I recommend using an extension called minerBlock; this is available for Chrome and Firefox and only blocks cryptojacking scripts (no ad blocking)," Murch says. "Other browser extensions, such as uBlock Origin and NoScript, will also block cryptojacking. However, they also block ads and may break the functionality of websites that require JavaScript."

But there's an inherent flaw with using browser extensions: They use blacklisting and are therefore only functional for sites where there is prior awareness of cryptojacking malware infection.

"It is hard to avoid visiting cryptojacking sites completely as any website can be hijacked and embedded with a mining library," Bilogorskiy says. "Because this is a blacklisting approach, it is unlikely to hold long term."

Browser isolation, a cybersecurity model that physically isolates an internet user's browsing activity away from their local networks and infrastructure, can also play a role in diminishing the impact of cryptojacking malware.

"Because the cryptojacking software is executing away from the end user's machine, various other execution throttling strategies become possible without affecting the end user's browser," says Kowsik Guruswamy, CTO at Menlo Security, which provides browser isolation technology.

Fighting the Malware

Beyond browser-based protection, there are broader ways to address the cryptojacking problem.

"Standard anti-malware strategies apply," David Houlding, director of healthcare privacy and security at Intel Health and Life Sciences says.

"Another very important tactic is monitoring endpoint devices' resource usage."

Those strategies include, for example: safe browsing; not installing questionable software; using anti-malware software; whitelisting executables - especially on servers that have more computational resources and therefore are more appealing targets; and hardening and timely patching of systems to close vulnerabilities.

"Another very important tactic is monitoring endpoint devices' resource usage, especially CPUm and remediate as needed," Houlding adds.

A Long-Term Threat?

With the advent of the Coinhive script at the peak of the 2017 cryptocurrency gold rush, the code provided yet another "get rich quick" scheme in decentralized mining. But illicit earnings reported from cryptojacking attacks generally have been minimal.

For instance, a cryptojacking campaign operator using Coinhive on 11,000 websites for three months made just $7.69, according to Bad Packets Report.

And in the U.K. attack cited earlier, despite infecting over 5,000 sites, the perpetrator only managed to mine about $24 worth of Monero before the operation was shut down, according to The Guardian.

Despite recent declines in the value of certain cryptocurrencies, including Bitcoin and Ethereum, decentralized mining is expected to persist.

"I don't think cryptojacking will die out in the short term - quite the opposite actually," says Juniper's Bilogorskiy. "Our team has seen a trend of attackers switching away from malvertising and instead embracing cryptojacking. We are only in the beginning of the cryptojacking cycle. Its popularity will go up and down, correlating with Monero and Electroneum prices, which are quite volatile."

Any device with a processor is a potential candidate for the activity. And the rise in IoT connected devices opens up a whole new swath of targets.

"The browser is a transient session and therefore one way, but not the only way - and not the best way long term - of cryptojacking," Houlding says. "Installing cryptojacking malware on devices is a major issue."


About the Author

Nick Holland

Nick Holland

Director, Banking and Payments

Holland, an experienced security analyst, has spent the last decade focusing on the intersection of digital banking, payments and security technologies. He has spoken at a variety of conferences and events, including Mobile World Congress, Money2020, Next Bank and SXSW, and has been quoted by The Wall Street Journal, CNN Money, MSNBC, NPR, Forbes, Fortune, BusinessWeek, Time Magazine, The Economist and the Financial Times. He holds an MSc degree in information systems management from the University of Stirling, Scotland.




Around the Network