Cryptojacking explained and solved
WHILE the current plummet in the value of most cryptocurrencies continues unabated, the threats posed to organizations by unofficial cryptomining remain.
Unwanted cryptomining, or cryptojacking, is the process by which users’ computers (or websites they visit) begin to mine cryptocurrencies using hidden code, for the benefit of third parties.
For the uninitiated, cryptocurrency mining is the process by which new digital currency is created. Mining uses a computer’s processing power to solve increasingly difficult cryptographic puzzles online. The more puzzles a computer can solve, the greater the rewards.
The activity of mining does not compromise an organization’s security per se, but the presence of unauthorized cryptocurrency mining does obviously indicate a failing in cybersecurity. Today it could be relatively harmless mining for persons unknown, tomorrow, by the same means of ingress, the problem could be one of keystroke capture or more problematic system breaches.
The effects of cryptojacks on a business are measured in power and time. Firstly, the affected computer spends a significant amount of its resources solving the mining puzzles. This slows down the machine – although, a good cryptojacker will ensure that the code is not too overt in its utilization of the system – and therefore its operator.
Secondly, the electricity used to power mining activities does not come for free. While running a few computers might be thought of as cheap, it is worth bearing in mind that the majority of cost born by commercial mining operations is the power used to run the mining computers. (There are websites which will allow you to calculate the cost of power consumed against rewards of mining, to see if your setup would be economical!)
Native mining software is distributed and installed much in the same way as malware or viruses. Once in place, the payload begins using the host computer’s processor cycles.
Minesweeper – a Burpsuite plugin (BApp) to aid in the detection of scripts being loaded from over 3200 malicious cryptocurrency mining domains (cryptojacking) https://t.co/xykT3N8LBm via @EdOverflow pic.twitter.com/mfGcnrnYH6
— Catalin Cimpanu (@campuscodi) February 4, 2018
In either case, the mining software connects to mining pool sites, which aggregate miners’ activities to create virtual super-computers, which can mine more effectively the more machines which contribute.
Organizations wishing to mitigate against cryptojacking have two options, both of which require firewall configuration at a LAN’s gateway.
Deep packet inspection ensures that Stratum protocol traffic over TCP can be detected and blocked. Stratum’s publish/subscribe architecture involves the passing of data packets between servers (mining pool) and subscribed client (affected machine), using JSON-RPC messages. Requests to join mining pools are fairly easily detected, so affected machines on an organization’s LAN can be identified.
A broader-brush approach to solving the issue can be simply to block mining sites at the firewall level. Blacklisting public mining pool addresses obviates the problem caused by some pools running the Stratum protocol over HTTPS, which makes detection of suspect traffic far more difficult.
Mining sites’ IP addresses and names are publically available, as pools wish to attract miners. Therefore using lists to wholesale block IP addresses is an effective mitigation, albeit one that requires the compilation of a list of mining pools, plus occasional updates to firewall blacklists as new sites appear.
Cryptojacking may not be as black and white an issue as more malicious hacks, but there is no such thing as a victimless crime. The costs of lost processor cycles and lost manpower hours mount up, and the enterprise would do well to guard against this type of activity: its presence on a network should at least serve as a ringing alarm bell that cybersecurity breaches may be possible.
- Cryptocurrency trading goes commission-free, if you can wait
- Crypto exchange boss in court
- LINE lines up cryptocurrency trading on its app
- Hackers trying to move Coincheck’s $530m stolen digital cash to other accounts
- Japanese cryptocurrency exchange under scrutiny after $530m cybertheft