How to Stop Cryptomining and Cryptojacking Attacks

Cryptomining and cryptojacking attacks are on the rise

In the last six months, we’ve seen an escalation in malicious cryptomining and cryptojacking activities. Tesla AWS S3 was hacked to run cryptomining malware. The U.S. Courts official website, UK’s National Health Service (NHS) and Information Commissioner’s Office, and the Australian state governments for Victoria and Queensland were also unwittingly drawn into a cryptomining scheme.

Even the popular Google Chrome Extension was caught quietly cryptojacking on more than 100,000 users’ computers. The Oracle WebLogic vulnerability was primed to pump cryptocurrency. Then the Jenkins RCE flaw (CVE-2017-1000353) was exploited by hackers who made nearly $4 million in cryptocurrency by mining.

It’s the large potential payoff that squarely positions cryptomining and cryptojacking as the cybersecurity industry’s latest and greatest challenge.

Cryptomining and Cryptojacking: A Primer

In brief, cryptomining is a process that miners use to solve complex mathematical problems. Whoever solves the problem first gets the reward. To claim the cryptocurrency prize, a miner must be the first to arrive at the correct criteria when using the associated cryptographic hash calculation. This, in turn, allows them to validate a transaction and add it to the underlying network. This process is also called proof-of-work.

Proof-of-work was devised to deter denial of service attacks and other abuses, such as network spam, by requiring some work from the requester. As a result, proof-of-work requires a large amount of computing speed and power, which leads to high CPU and GPU usage and system overheating. And this is where a majority of the problem lies.

While cryptocurrency mining itself can be legitimate, the resource requirements of cryptocurrency mining have led to the use of mining pools, which group individual computing power to accelerate the proof-of-work process. Cryptojacking is the unauthorized use of someone else’s computer to mine cryptocurrency. For this purpose, the public cloud has become an easy target.

To expand their cryptomining capabilities, and thereby increase their chance of profits, hackers are hijacking the computing power of public clouds. This can damage the integrity of the public cloud and cause a drastic slowdown of services for legitimate users. In a slightly different format, hackers are also adding very small pieces of code on popular websites or into browser extensions to use the computers of website visitors to mine cryptocurrency.

Why Cryptomining and Cryptojacking Attacks are Difficult to Detect

In the Tesla case, hackers were able to infiltrate Tesla’s Kubernetes admin console through an unprotected AWS S3 bucket’s credential. Within one Kubernetes pod, not only were they able to find Tesla telemetry, mapping and vehicle servicing data, but they also were able to run scripts using a lesser-known mining software later identified as Stratum. To avoid being detected as an anomaly, the hackers intentionally throttled the CPU usage. They also masked their internet addresses and mining pool servers behind services offered by CloudFlare, a popular CDN, and by using a non-standard port.

In the case involving a number of government websites in the United States, UK and Australia—including the U.S. Courts—it was revealed that the hackers deployed an altered version of the popular plugin Browsealoud. This particular version of Browsealoud infected the websites with a very small piece of Coinhive code, which is used to generate units of cryptocurrency called Monero. The Google Chrome Extension case falls into the same malware category. As a result of this attack, every end user that browsed the website or used the extension became cryptomining victims. This type of malware is often called fileless cryptomining malware because the victims don’t see a file download, which is the typical telltale sign of a malware attack.

The known CVE-2017-1000353 vulnerability exists because there is no validation of the serialized object, which means that any serialized object will be accepted. To exploit this vulnerability in the Jenkins case, the cryptomining operator simply had to send two subsequent requests to the Jenkins CLI interface. The last request contained two main objects: (1) the Capability object that informs the server of the client capabilities, and (2) the Command object, which contains the Monero miner payload. Once the injection makes its way onto Jenkins server, the minerxmr.exe (miner file) is downloaded from the drop-zone server, and finally the start command is sent to begin generating cryptocurrency for the attacker at the victim’s cost.

Similarly, Oracle Weblogic’s CVE-2017-10271 vulnerability was also exploited to plant a hybridization of Remote Access Trojan (RAT) and XMRig. This group of hackers were mining AEON. Interestingly, even though they were achieving a similar hash rate as in the Jenkin’s case, they earned much less and so would have most likely switched to Monero.

Detecting and Preventing Cryptomining and Cryptojacking

To excel at cryptomining and cryptojacking, malware authors are becoming increasingly innovative. This makes it more and more difficult to detect and prevent cryptomining and cryptojacking attacks when using conventional security tools.

As we can tell from the cases above, the execution of cryptomining and cryptojacking attacks can be really stealthy. The attacks progress quietly through the stages—from compromising the admin console, exploiting the vulnerabilities, delivering mining software to the first compromised system, spreading the mining software laterally within the cloud, and the final mining.

But all mining software, whether file-based or fileless, must connect to either the cryptocurrency network or a mining pool to exchange data and fulfill the blockchain’s proof-of-work duty. This creates a proof-of-footprint, which can be used to accurately identify and prevent cryptomining and cryptojacking activities.

Cryptomining and Cryptojacking Security Solution Requirements

To detect cryptomining and cryptojacking vulnerability exploits in cloud environments, a security solution must be able to detect mining applications, catch the mining software (malware) as it moves towards the service applications/functions and as it moves laterally between the applications/functions. It must also manage across the multi-cloud to cover the breadth of popular cloud services enterprises are using—including VMware, OpenStack, AWS and Azure.

The innovation of hackers can only be combated by security innovations. Following the Serverless Security Philosophy enables the speed and modern capabilities necessary to provide rapid and automated provisioning and enforce a combination of dynamic and static rules that are needed to identify and stop an attack in progress within cloud environments.

Manuel Nedbal

Avatar photo

Manuel Nedbal

Manuel serves as the engineering and architectural lead for the development of the ShieldX platform, and as its overall technical visionary. In his spare time, he leads the engineering organization, trailblazing inventive new approaches to its structure and processes.

manuel-nedbal has 2 posts and counting.See all posts by manuel-nedbal