Hackers in a money frenzy: How do I recognise cryptojacking and protect my company against it?
by Svenja Koch
Bitcoins and other cryptocurrencies appear in the news again and again. The main reports are about rising prices. Bitcoins in particular are constantly reaching new highs. In April 2021, the value of a bitcoin reached more than 50,000 euros for the first time. However, the rising value of cryptocurrencies also attracts cybercriminals.
What are cryptocurrencies and how do they work?
Cryptocurrencies are means of payment that exist exclusively in digital form. There is no central bank or similar institution responsible for managing them. Rather, these currencies are based on blockchains and digital signatures, each of which verifies individual transactions. This makes cryptocurrencies independent and at the same time forgery-proof, as the information is stored in a distributed manner.
The value of such a cryptocurrency depends largely on the users. Since a transaction involves a direct exchange between currency and goods or services, the buyer and seller determine the value. Accordingly, there are no fixed exchange rates to the known, official currencies such as the euro. At the same time, there is a permanent exchange between bitcoins and euros, as many see the digital currencies as an object of speculation.
Cryptocurrency functions globally and without exchange rates. Likewise, transactions are not traceable for outsiders and are therefore secret. There are so-called digital wallets. In these, owners store their cryptocurrencies and send or receive them. This peculiarity is one of the great advantages of the technology; at the same time, this is why Bitcoins and other digital currencies are so interesting for criminals.
This is what is behind cryptojacking
Cryptojacking is a technique to illegally use the resources of other people's computers. This is interesting in the context of cryptocurrencies. To understand this, it is important to know how these currencies work. The decentralised technique of Bitcoins and similar digital currencies requires users of this system to provide computing power. At the centre is a database in which all transactions are stored. This is constantly growing and immense computing power is needed to manage the data. In return, the users receive a share of the currency units in the cryptocurrency in question. This process is also called "mining".
A mining scene established itself early on. Here, savvy users operated entire computer farms with the aim of farming digital currencies. Optimising the processes and using efficient hardware makes this worthwhile. Powerful, modern graphics cards have proven to be effective. Especially in the area of Bitcoins, this method was and is popular. The reason for this is the high value of this currency, which is also increasing rapidly.
However, the acquisition of such an infrastructure is expensive and the profit depends on the development of the value of the cryptocurrency. For this reason, criminals rely on cryptojacking. The actual process of mining is comparatively simple. A software takes care of this in the background. The important thing for the cybercriminals is to get it onto as many computers as possible without being noticed. This creates a virtual server farm that is connected and farms a certain digital currency. The high profits that such a farm delivers give rise to new forms of cyberthreats. At its core, it is a bot network that is centrally controlled.
Hackers use these methods for cryptojacking
The goal of cryptojacking is to gain control over as many computers as possible and remain undetected. A successful attack is therefore one in which the owner of the infiltrated system is unaware of the cybercriminal's activities.
There are three different forms of cryptojacking. Temporary and drive-by cryptojacking are similar in methodology. Both require an active connection to a prepared source. They are mostly browser-based attacks. The victim is lured to a website, which then uses the computer's resources for cryptomining. If the user leaves the website, the connection is broken. With drive-by cryptojacking, a pop-up window may remain open in the browser and the mining continues. Local compromise, on the other hand, does not take place. The mining process ends at the latest when the user restarts his computer. Not only PCs are threatened by this type of attack, but also smartphones, tablets and similar devices with which users surf the internet.
The third type is continuous cryptojacking. This requires direct access to the target system. In this way, the attackers install software that is needed for cryptomining. There are a variety of methods that hackers use for continuous cryptojacking. One way they deliver their programmes to the target systems is with manipulated software. Then the components for mining are hidden in an app that is advertised as free. Anyone who downloads and installs such an app also unsuspectingly launches the attackers' mining software. In the same way, hackers infect their victims via video streaming or file sharing platforms. Drive-by downloads via prepared websites are also popular. With a clickbait or an email with a link in the message, the criminals lure targets to such websites, which then infect the system via a hidden download in the background.
Internal criminals also play a role in cryptojacking. In larger organisations and companies, a lot of computing power is available. Every workstation, the servers and other computers on the network are potential systems with usable resources. If it is an employee from IT, they also have the ability to directly bypass the existing IT security. This type of cyber threat is referred to as shadow mining.
Criminals have the same goal when attacking larger infrastructures. They use well-known methods such as phishing or compromising user accounts to gain access to networks. As soon as the hackers have access to the network, the installation of the mining software begins.
How to recognise cryptojacking
Cryptojacking is quite difficult to detect compared to other cyber threats. At the same time, there are some very characteristic features that suggest an infection with mining software. In many cases, classic IT security defence mechanisms are not able to detect cryptomining. This is because virus scanners, for example, do not recognise many of the techniques used as harmful.
When criminals misuse a foreign computer for mining, they try to ensure that this remains undetected for as long as possible. This is in the attackers' interest, because this way the system's resources are available for their purposes for a long time. Cryptomining does not restrict the basic function of a computer and other cyber threats are also rare. The cybercriminals are only interested in the pure computing power they need for the mining process. At this point, it is then also possible to recognise whether one's own system is being misused for mining. A PC that mines cryptocurrency is usually permanently utilised.
The processor is therefore working at full load, which is noticeable in various ways. On the one hand, this generates more waste heat, so the fan of the processor cooler is louder than usual. Secondly, the high processor load makes for systems that respond much more slowly than usual. Signs of unnoticed use for cryptomining are programmes that take a long time to start or execute commands. If such a slowdown occurs suddenly, this is an indication of possible illegal cryptomining.
Mining Bitcoins also requires a lot of energy. Due to the high utilisation of the CPU, the power consumption increases. An increased electricity bill is therefore another indication of undetected cryptomining. Especially in companies with a large number of systems, this causes considerable additional costs. Thus, these cyber threats also indirectly cause financial damage.
The increased electricity costs are also an indication of how companies recognise shadow mining by an internal perpetrator. There are other characteristics as well. Miners are often keen to keep systems running for as long as possible, preferably even around the clock. So if PCs in the company area are suddenly permanently in operation, this also indicates illegal use of the resources by an inside perpetrator.
Preventing illegal cryptomining on your own IT infrastructure
With a system for early detection of successful attacks or compromises of the network, it is possible to contain or prevent cyber threats of this kind in time. With such a proactive cyber defence approach, there is ongoing monitoring of processes and workloads on systems within the organisation. These software-based solutions send warnings when there are changes in behaviour, for example when the utilisation of processors suddenly increases significantly or computers suddenly run around the clock. This saves IT security from having to permanently check the systems manually and is also more reliable.
Further tasks for IT security are already known from the prevention of other cyber threats. This includes, among other things, that IT Security sensitises the employees in the company. Visiting unknown websites and opening email attachments poses a high IT and information security risk in the corporate sector. Employees must be trained to inform IT Security of any conspicuous behaviour on their own workstations. This includes, in particular, slow working speed and hanging programmes.
It is also the responsibility of IT security to ensure that browsers are secure. Here, pop-up protection and blocking interactive Java content are important to prevent drive-by cryptojacking. Another IT security task is to provide special protection for accounts with extended rights. Administrator rights should be used as sparingly as possible. The same applies to the authorisations of employees in the network. User accounts may only have the absolutely necessary rights.
Cryptojacking is another cyber threat in the long list of threats that modern IT security has to deal with. The approaches show that hackers have very different goals and motives for attacks. This asymmetrical situation poses challenges for IT security and requires the use of specific technology to ward off all these cyber threats. Thus, the scope of IT security is constantly growing, which does not make securing networks any easier. However, as in many other areas, prevention and the use of the right IT security tools ensure a high level of security.
Expert tip: With a system for early detection of successful attacks or compromises, there is continuous monitoring of processes and workloads on the systems within the organisation. Our Active Cyber Defense Service identifies compromised systems by recognising conspicuous communication behaviour. This enables them to be isolated in a targeted manner and cleaned up quickly. If, for example, an active cryptomining attack is identified by the service, we will immediately assist you with IR experts if required.