Cryptomining Malware on The Rise

How to Prevent the Risk of Crypto-Jacking

New cryptomining malware uses an NSA-exploit to spread to Windows machines while disabling security software and opening the door to future attacks on infected computers. Now is the time for enterprise IT to fortify their defences. Chris Olson, CEO at The Media Trust, provides background on cryptomining and discusses best practices to prevent related incidents.

Cryptomining is the new jackpot for cybercriminals. As cryptocurrencies have grown in popularity and value, cryptocurrency mining has turned into a lucrative business. Around the globe, thousands of websites operated by some of the world’s most recognized companies and government agencies have been compromised by malicious actors anxious to harvest web visitors’ CPU power for their mining operations.

However, when it comes to cryptomining, the industry’s focus is on the attacks and compromised devices rather than the root cause. These attacks are but a symptom of a deeper problem within the digital ecosystem. Most enterprises do not have full visibility into the third-party code rendering on their websites and mobile apps. These third parties make ideal targets for malicious actors, who are continuously probing for ways to make money and secure greater returns on their efforts.

From Money-Making Machine to a Weapon

Cryptomining is a profitable business, and security teams are now seeing a huge increase in “crypto-jacking” as the method of choice for cybercriminal revenue generation.

Recently, FortiGuard Labs discovered a new Python-based cryptocurrency mining malware, dubbed “PyRoMine,” which not only uses the machine for mining cryptocoins, but also leaves machines vulnerable to future attacks because it starts RDP services and disables security services. What makes this incident unique and alarming are the exploit’s ability to spread so fast around the world and disable a machine’s security features for future attacks. The malware authors’ ability to test a campaign before a multi-phased, full-scale launch is also disconcerting. Such a campaign will pave the way for harvesting CPU power and personal data from millions of Windows users.

The soaring number of cryptomining malware incidents like this one reflects the growing interest in cryptomining itself. As more people profit from the rising value of digital currencies, more tools and techniques are developed to mine them. The most widely used is the Coinhive JavaScript for mining Monero digital currency, originally developed for website owners to make more money. Immediately after Coinhive’s launch in late 2017, clones like Coinimp, deepMiner, Crypto-Loot and Minr appeared in rapid succession to grab their share of a fast-growing market. This market’s early adopters included crypto-jackers, those who hijack a device’s processing power for unauthorized mining.

Today, cryptomining represents a new frontier for hackers to launch their attacks. One common hijacking method involves embedding cryptomining code under ad campaigns that appear on a webpage or run on a browser. Another, more popular method is the unauthorized installation of cryptomining code on a website. But no matter how the tool is deployed, when victims browse the site or view the ad, the malicious code secretly harnesses the machine or device’s CPU power, so crypto-jackers can start mining for coins.

What’s more, malicious actors appear to be combining cryptomining JavaScript with a growing arsenal of digital tools to exercise greater control over the machines and devices they take over while spreading the malware.

Best Practices to Avoid Cryptomining

Websites depend on the support of third parties for various features, including analytics, content management systems and customer recognition platforms. Indeed, more than half of all code on a website lies outside a company’s direct control, and as a result, it has become an attractive target for cybercriminals.

As malicious actors have stepped up their game, so should enterprises in securing their digital ecosystem. Companies should have strong digital policies and enforce them. This goes beyond the basics: current AV versions, immediate patch installations, content and/or program download restrictions and website black lists. Cybercriminals infiltrate enterprise websites and mobile apps via unmonitored third-party code through online chat, social widgets, content management platforms, etc. Cryptomining incidents further emphasize the need to expand and adapt vendor risk management programs for today’s digital-first economy.

Third-party vendors are often targeted by malicious actors who want to break into a larger enterprise by attacking the supply chain and slipping in through a secure connection. So, not only do organizations need to secure their own systems, but they also have to ensure that their digital vendors’ security measures are also meeting the enterprise’s standard. Keeping track of third-party vendors and whatever code, they introduce — knowingly or not — to the ecosystem requires continuous real-time scanning of their digital assets. This will enable organizations to assess and document the risks from each of their vendors and help them share policies so they can work with their vendors on improving their security posture. Finally, a sharp eye on the supply chain will enable organizations to terminate vendors who continue to violate policy after they have been put on notice. This type of control will prevent a site from being used as a tool for a crypto-jacking.