Avatar

Although the cryptocurrency market may have lost ~70% of market cap from a high of $835B, it hasn’t stopped malicious actors, ravenous for the next bull run, from mining cryptocurrency. The birth of cryptocurrency has altered the threat landscape making it easier for malicious actors to get paid and remain anonymous. The days of cryptocurrency being used as a ransomware payment vector are not over. Cryptojacking is on the rise and arguably more profitable than ever, especially if undetected in your environment.

Cryptocurrency mining is simply the process of generating new units of the cryptocurrency. In the case of say Bitcoin, a miner uses their computing power to verify P2P Bitcoin transactions and is rewarded with new Bitcoins proportional to the amount of computing power they donated to the Bitcoin network. Cryptojacking is the secret use of your business’ computing power to mine cryptocurrencies through individual machines in browser JavaScript exploits, cloud AWS instances, etc.

The cryptocurrency market is volatile, where daily 30% swings are not uncommon. This is a double-edged sword for malicious actors. Payouts could drastically increase or decrease in value over the course of months, weeks, or even days. This can enable malicious actors to purchase extra hosting infrastructure, buy additional malware programs on the dark web, buy a Lamborghini Sesto Elemento, or even walk away penniless if the market doesn’t move in their favor. The potential for 2x, 5x, or even 100x returns on the cryptocurrency obtained from exploiting your environment is entirely within possibility.

We’ve all seen the news lately – countless sites getting penetrated via numerous vulnerabilities to mine cryptocurrencies. The Tesla hack where an unprotected AWS server was compromised, the malicious injection of Coinhive JavaScript appearing on some of Showtime Network’s websites, as well as ~4,000 other websites being compromised and running Coinhive miners.

When visitors consume content (e.g. reading, watching videos, browsing, etc.) on a site that received malicious injections of JavaScript, the visitors’ machines would mine cryptocurrencies like Monero while they stayed on the site. The JavaScript injections, if coded properly, have little noticeable effect on a victim’s systems.

One of the more nefarious cryptojacking exploits is the hijacking of AWS instances with weak or non-existent Kubernetes passwords which allow actors to easily penetrate instances and set up cryptomining software. The “WannaMine” malware utilizes a tool called Mimikatz that harvests credentials from a computer’s memory and quietly mines Monero in the background. EternalBlue exploits that have been patched do not affect the operation of the miner and allow it to evade detection.

As daunting as this sounds, there are good guys fighting as well. Cisco Umbrella highlighted in Mounting Mining Mayhem that categorized cryptomining sites are “potentially harmful.” With the mounting popularity of cryptomining as a vector for malicious and legitimate mining activity, we have created a new security category dedicated to cryptomining that aims to keep your corporate environment safe from unwanted mining activities.

Our new security category allows you to block malicious cryptomining sites and pools. You can block sites that are using JavaScript exploits to mine cryptocurrencies while users are visiting. You can block legitimate mining pools from potentially being leveraged for nefarious purposes. You can defend against sites that drop malicious miner programs on users’ machines. For those of you that do not mine cryptocurrencies as part of your daily business activities, you should enable this new security category in your Cisco Umbrella policy settings to prevent unwanted cryptomining in your corporate environment. As we like to say, send cryptojacking packing!



Authors

Austin McBride

Threat Analytics Researcher

Cisco Umbrella