November 24 2020
Are cyber criminals hijacking your website and using it to mine for cryptocurrency? Welcome to the world of cryptojacking; a new method that threat actors are using to make money, and they may be exploiting vulnerabilities in your organisation’s security to do it.
2017 was the year ransomware went global. Even if you haven’t heard the name WannaCry you’ll have certainly heard about the attack, it’s the one that affected NHS systems and brought disruption to the organisation for a number of days.
Unlike other attacks, ransomware is designed to make a noise. Letting the victims know that their systems have been breached and demanding a ransom to return systems back to normal.
But has it already fallen out of favour with the criminal fraternity?
The problem with ransomware
When it comes to ransomware there’s one problem from the criminal point of view, the return. Yes, there will always be a few people who are going to pay up in the panic of the situation, but there are absolutely no guarantees.
It has been estimated that the criminals behind the WannaCry attacks made off with £108,953 worth of Bitcoin ransom. Sounds like a lot, but when you consider that over 10,000 organisations and 200,000 individuals had been affected worldwide you can see that the return could have been much larger.
The advice is that you should never pay any ransom requests and it’s good to see that this advice has been taken onboard. But are criminals now looking to utilise attacks that provide a more reliable and steady source of income? That’s where cryptojacking may come into its own.
From cryptomining to cryptojacking
To understand cyptojacking you first need to understand cyptomining. In essence, cryptocurrency transactions are based on complex mathematics, ensuring that currency has not already been used. When a transaction is announced, computers in the blockchain network start to process these complex puzzles and in exchange for the work, people whose computers were used to process the transaction (miners) are rewarded with a small amount of cryptocurrency.
Mining cryptocurrency such as Bitcoin requires huge computational power and to do it successfully you’ll need dedicated hardware and to use a large amount of electricity keeping your rig running, as well as cooling it.
However, things have developed, new coins such as Monero have been introduced and cryptomining can now be achieved via software. Just utilise a few lines of code within your website and the software will use the processing power of your visitors to mine currency automatically.
This isn’t illegal, and some websites have already started to experiment using this type of software to drive revenue instead of using intrusive advertising. A few sites have made this clear to users, but in most cases, it’s still being kept under wraps.
Those who have advertised the fact have seen a good response and in many cases users are preferring this model over traditional ad laden sites.
Criminals aren’t so transparent however and are using use a variety of methods to secretly install this type of software onto browsers, applications, social media, servers and even public wi-fi. The more processing power they can get working for them, the more currency they are able to mine.
Botnets, servers and content delivery systems (CDN) appear to be the most lucrative attacks so far, and it’s no surprise as these can then spread the code to potentially thousands of sites without the need to attack them individually.
Why should you care?
So, if nothing is being stolen why should you care? Firstly, it’s the fact they got in. As we’ve discussed, attackers can get in through a variety of methods and once in can upload any number of payloads. They may choose to install cryptocurrency mining software, but what’s to stop them using ransomware or install a keylogger? Do they now have access to your company data? It’s a dangerous situation to be in.
Secondly, it’s about costs. Cryptomining software uses processing power and as such your electricity usage will increase. Desktop users may experience a slowdown in services and mobile users may lose battery altogether. On an individual level this might not be too concerning, but what if your company servers are affected and your e-commerce website slows down as a result?
Final, there’s the ethical question. Why should you let criminals use your resources for their own profit?
Stay informed, stay vigilant
The first sign that you may have been affected is the increase in CPU usage. Are your processors running at capacity even when you are using little to no applications, are you experiencing a sudden slowdown of processing performance or even seeing overheating systems or cooling fan failures.
The second way is to check your website code for any cryptomining scripts such as Coinhive. You should also monitor your network carefully to review all web traffic going in and out of your organisation.
Phishing is the primary delivery method of this type of software and employees need to be trained regularly on what to look for and what the consequences could be of clicking on an infected link. You may also need to remind them of password security policies and the importance of creating strong passwords.
Scripts could also be delivered through web ads and therefore it’s important that anti-cryptomining extensions such No Coin or NoScripts are installed and are up-to-date on all browsers, with any malicious websites blocked.
If you are using a CDN you’ll need to look towards SRI Integrity Attributes and to using a Content Security Policy (CSP) within your website.
Finally, you’ll need to investigate how the software got into your system, that way you can fix the holes and improve your security posture off the back of the experience.
Improving your security with Secarma
Whether you want to protect your business from cryptojacking or ransomware attacks, our security consultants are here to help. We work closely with our clients throughout the testing process to uncover vulnerabilities and support you in your security improvement efforts.
Find out how Secarma can help take your cybersecurity to the next level by contacting one of our expert security consultants here.