Cryptojacking: How to Stop Coin Miners From Hitting Your Network

It wasn’t the Christmas gift Jonny Platt was expecting.

Back in December, the founder of SEO Scout, a U.K. site analytics software firm, says he was “horrified” to see $45,000 in charges show up on his Amazon Web Services (AWS) cloud-computing statement, which typically ran about $300 a month. A “scammer” apparently broke into his company’s cloud-hosting account using an unsophisticated hack to steal server-processing power for the sole purpose of generating cryptocurrency, through what is known as “coin mining.”

The hacker’s haul? An estimated six Monero, an amount of cryptocurrency worth a lowly $1,100 at the time.

Identify and contain adversaries before they can spread across your network.

“What a waste,” wrote Platt in a Twitter post. “The majority of [small- and medium-size businesses] that take the bait would be destroyed by a sudden $45,000 bill. I can tell you, it is fricking scary.”

Platt, who eventually convinced AWS to write off the charge, is among a skyrocketing number of business owners whose systems have been hijacked for coin mining. Indeed, Malwarebytes reports
a 300% increase in cryptomining malware in 2021. SonicWall saw
51 million attacks during the first half of the year. And Google says
86% of 50 Google Cloud compromises were used for coin mining.

Also known as “cryptojacking,” coin-mining hacks frequently fly under the radar of most IT security departments. That’s partly because they aren’t as potentially catastrophic as better-known threats, such as ransomware or distributed denial-of-service (DDoS) attacks. But it’s also because these hackers try to get into networks and stay there as long and silently as possible.

Like thieves who figure out ways to divert fractions of pennies that banks forget about—stealing millions of dollars in the process—cryptojackers succeed by directing tens of thousands of servers to do their illicit handiwork.

How coin miners make money from cryptojacking

Hacking at scale is the only way criminals can make real money from coin mining.

For legitimate entrepreneurs, coin mining is a painstaking process that uses powerful computers to verify or solve extremely complex mathematical problems, the results of which are recorded and tracked on digital ledgers, or blockchains. Each time a miner solves
a problem, they are rewarded with digital coins. Entrepreneurs
with the right equipment and patience can make a modest living
doing this.

[Most] who take the bait would be destroyed by a sudden $45,000 bill.
I can tell you, it is fricking scary.

But cybercriminals generally prefer bigger, multimillion-dollar paydays. For them, the path to success lies in amassing tons of processing power and solving an enormous number of problems—quickly and regularly.

“If you have to pay the power bill for coin mining yourself, you’re not going to make a whole lot of money doing it,” says Duncan Miller, director of endpoint security for the cybersecurity and systems management company Tanium. “But if you can get someone else to foot the bill for you, then it becomes a whole lot more attractive.”

Cryptojackers achieve this feat using the same exploits involved with more prevalent forms of malware. Phishing attacks, for example, trick users into clicking on links that place crypto-mining scripts onto corporate networks. Another approach is to install scripts on websites or digital ads. The script executes without installing anything on a person’s computer. Computer servers become part of the crypto-mining collective, running algorithms in the background. Most users are none the wiser.

Cryptojackers target powerful graphics cards

Some cryptocriminals also target graphic cards, commonly used by gamers and also most laptop users, thereby gaining processing power for coin mining. But they do that in ways an IT department might not expect from their now remote and occasionally gaming employees.

Nvidia’s GPUs (graphic processing units), for example, became a popular platform for coin miners looking to maximize energy generation. But because this wasn’t an intended use, the vendor installed software known as a Lite Hash Rate (LHR) to deter such activity. That triggered a war, of sorts, with a prolific hacking gang called Lapsus$. In February, the South American group reportedly stole about 1 terabyte of data from Nvidia and threatened to leak it if Nvidia didn’t eliminate its LHR.

The average organization is unlikely to suffer directly from such activities, but those that are affected typically face many potential problems. They might run into network performance issues, for example. Or system overheating, which then requires more cooling. Their energy bills might spike as a result. IT support time and costs could also rise, increasing pressure on already understaffed, overworked IT departments. And, of course, they could start seeing highly inflated cloud-service bills, as was the case with SEO Scout.

[Read also: The growing need to unify IT and security]

While the impact of cryptojacking on individual networks isn’t always high, if someone is able to get malware on a network to mine cryptocurrency, that means a company is vulnerable to other forms of malware, according to cybersecurity expert Travis Taylor, who co-hosts the podcast What the Hack with Adam Levin.

“They could decide to graduate, at some point, to launching more threatening types of malware,” Taylor told Endpoint. “Or they
could sell their access to others on the dark web. Either way,
you’re vulnerable.”

Combating cryptojacking with cyber hygiene practices

John Pescatore, director of emerging security trends with the SANS Institute, says that because coin-mining hacks are largely using “standard attack techniques with different payloads, different goals,” organizations should apply basic cyber hygiene controls to minimize risk and reduce damage.

You must constantly adapt to keep hackers at bay.

To get started, Roland Diaz, director of technical account management at Tanium, recommends applying an asset management tool to capture a complete and up-to-date view of an enterprise’s inventory. The idea is to know not only which computers, servers, or virtual machines (VMs) are accessing the network, but also which applications and processes are running on them. Just as an average computer user might view their system performance to learn
what’s slowing down a PC, it’s important for IT organizations to monitor, identify, and address unusual activity across the enterprise, Diaz says.

“With asset management, I can go in, look at the library of things I own, and say, ‘OK, I’m going to target these eight applications because I know there’s something malicious in them.’”

Miller of Tanium says IT security teams should also use endpoint detection and response (EDR) tools to discover known activities. Organizations want to be looking for IDs such as BTC and XMR, which relate to Bitcoin and Monero, respectively, including file
names and command lines, he says. While EDR is not a cure-all for every threat that hits a network, in a situation like this it can be put
to good use.

[Read also: Endpoint detection and response 101—what EDR is and where it falls short]

IT security should also monitor for machines that seem to be using above-average CPU or memory processing power, he says. Just as DEA agents might watch for unusual energy use in homes to find illegal drug labs, IT teams can scrutinize computer performance issues to spot cryptojacking activity.

Miller says organizations can also use EDRs to hunt for known “bad hashes” that are associated with cryptojacking. These include:

• c717c47941c150f867ce6a62ed0d2d35
• 0c0195c48b6b8582fa6f6373032118da
• 1f776e609dcf28e1170a3167c30b0c6b

“It is possible to look for these known bad hashes to identify unauthorized activity in your environment,” he says. “Once you’ve done that,” he says, “it’s pretty easy in most cases to remove the
coin miners.”

Using threat hunting to identify cryptojacking

Miller warns that once a potential coin-mining threat has been neutralized, it is important to conduct a forensic investigation to see how hackers compromised the system. Even though the immediate problem has been addressed, the vulnerability still exists.

In some cases, he notes, an attack might not have come from the outside. It could have been an insider “borrowing” corporate resources to make a little money on the side. Experts like Taylor recommend educating employees about the risks and threats to their jobs if they were to allow company IT resources to be used in a detrimental way.

[Read also: Why workers violate cybersecurity policies]

Miller advises forensic investigators to operate like threat hunters, considering a wide range of contributory factors, such as:

• IDs. Did a hack result from compromised credentials?
• Strategy. Did hackers access credentials through phishing, social engineering, or employee negligence or hostility?
• Timing. When did the event begin?
• Frequency. Was it a lone occurrence or did repeated hacks happen?
• Future risk. Did the event open a door to other threats that may be more financially and operationally harmful?

According to experts, cryptojacking is not going away anytime soon. In fact, they expect to see an increase in frequency and severity.

“No matter what defenses you put up to thwart attacks, cryptojackers seem to find a way around them eventually,” says Taylor. “There will always be some new, creative way to avoid security protocols. You must constantly adapt to keep hackers at bay.”