Cryptojacking can cost your organization time and electricity – at best. Source: Shutterstock

Cryptojacking explained and solved

WHILE the current plummet in the value of most cryptocurrencies continues unabated, the threats posed to organizations by unofficial cryptomining remain.

Unwanted cryptomining, or cryptojacking, is the process by which users’ computers (or websites they visit) begin to mine cryptocurrencies using hidden code, for the benefit of third parties.

For the uninitiated, cryptocurrency mining is the process by which new digital currency is created. Mining uses a computer’s processing power to solve increasingly difficult cryptographic puzzles online. The more puzzles a computer can solve, the greater the rewards.

The activity of mining does not compromise an organization’s security per se, but the presence of unauthorized cryptocurrency mining does obviously indicate a failing in cybersecurity. Today it could be relatively harmless mining for persons unknown, tomorrow, by the same means of ingress, the problem could be one of keystroke capture or more problematic system breaches.

The effects of cryptojacks on a business are measured in power and time. Firstly, the affected computer spends a significant amount of its resources solving the mining puzzles. This slows down the machine – although, a good cryptojacker will ensure that the code is not too overt in its utilization of the system – and therefore its operator.

Secondly, the electricity used to power mining activities does not come for free. While running a few computers might be thought of as cheap, it is worth bearing in mind that the majority of cost born by commercial mining operations is the power used to run the mining computers. (There are websites which will allow you to calculate the cost of power consumed against rewards of mining, to see if your setup would be economical!)

Cryptojacked computers run native or JavaScript-based mining software. The latter is to be found on either infected websites or on sites which users are drawn to – historically, media streaming or games-hosting sites have been used in this way. When sites are visited, hidden code begins to use the browsing computer’s power.

Native mining software is distributed and installed much in the same way as malware or viruses. Once in place, the payload begins using the host computer’s processor cycles.

In either case, the mining software connects to mining pool sites, which aggregate miners’ activities to create virtual super-computers, which can mine more effectively the more machines which contribute.

Both methods of infection, native apps or JavaScript, communicate using the Stratum protocol as computational tasks are distributed among the computers in a mining pool. The Stratum protocol involves data being sent and received over TCP or HTTPS (technically, WebSockets over HTTP/S).

Organizations wishing to mitigate against cryptojacking have two options, both of which require firewall configuration at a LAN’s gateway.

Deep packet inspection ensures that Stratum protocol traffic over TCP can be detected and blocked. Stratum’s publish/subscribe architecture involves the passing of data packets between servers (mining pool) and subscribed client (affected machine), using JSON-RPC messages. Requests to join mining pools are fairly easily detected, so affected machines on an organization’s LAN can be identified.


A partial list of crypto-mining pools. Source: Cato Research Labs

A broader-brush approach to solving the issue can be simply to block mining sites at the firewall level. Blacklisting public mining pool addresses obviates the problem caused by some pools running the Stratum protocol over HTTPS, which makes detection of suspect traffic far more difficult.

Mining sites’ IP addresses and names are publically available, as pools wish to attract miners. Therefore using lists to wholesale block IP addresses is an effective mitigation, albeit one that requires the compilation of a list of mining pools, plus occasional updates to firewall blacklists as new sites appear.

Cryptojacking may not be as black and white an issue as more malicious hacks, but there is no such thing as a victimless crime. The costs of lost processor cycles and lost manpower hours mount up, and the enterprise would do well to guard against this type of activity: its presence on a network should at least serve as a ringing alarm bell that cybersecurity breaches may be possible.