Fotolia
Cryptojacking: How to navigate the bitcoin mining threat
Due to the rising value of bitcoin and other cryptocurrency, hackers have started to use cryptojacking to mine bitcoin. Learn what this means for end users with expert Nick Lewis.
Distributed computing on end-user devices has been around since SETI@home came out in the 1990s to advance scientific computing.
Some modern attacks have used a similar concept to mine cryptocurrency. This has given rise to a new threat known as cryptojacking.
Cryptojacking
A recent blog post by Webroot Inc. discussed how cryptojacking builds on top of several different concepts. For example, cryptojacking uses JavaScript in a web browser for crypto mining -- potentially without the end user knowing. Essentially, an attacker steals CPU time and increasingly more power consumption from end users, and the computing power expands as more systems run the JavaScript.
Using JavaScript as an attack tool is an extension of the Low Orbit Ion Cannon used by Anonymous and other attacks.
Crypto mining -- or mining -- is when an endpoint runs an algorithm to compute new hashes for cryptocurrency -- new hashes are needed for cryptocurrencies to expand. While bitcoin is the most common cryptocurrency, and miners use hashes to get it, the jacking part of cryptojacking refers to clickjacking and drive by downloads where a web browser gets infected or takes a specific action when visiting a website.
In the cryptojacking attack Webroot described, the Monero cryptocurrency is mined by an endpoint after visiting a website hosting JavaScript designed specifically to mine Monero. Some end users might intentionally mine cryptocurrency on enterprise endpoints, but it appears that most users were not aware of the malicious JavaScript running on their systems.
It appears that some compromised websites even enlist unknowing site users to mine for the attacker.
The original JavaScript code was released by Coinhive, but it is not as concerned about how its software is used because it can be difficult for the company to differentiate legitimate mining from malicious mining. While it stopped short of calling Coinhive malicious, last fall, Malwarebytes began blocking connections to the domain. Since the attack uses JavaScript, it is relatively easy to copy from one website to another and to make simple customizations.
How to protect endpoints from cryptojacking
Cryptojacking works on any endpoint that allows unrestricted JavaScript to run -- even the most secure endpoints can be affected. Furthermore, running a browser in a sandbox wouldn't help in this case, as cryptojacking only works if unrestricted JavaScript can run.
The most obvious step to block cryptojacking is to disable JavaScript, but that could have undesirable side effects.
Webroot mentioned a few options for blocking cryptojacking, such as using an endpoint security tool that blocks malicious files or JavaScript, along with using web browser extensions, like Adblock Plus. There are also other options, including only allowing trusted websites to run JavaScript or using NoScript, which lets you control what JavaScript is run in your browser.
Enterprises may want to investigate if their endpoint management tool can manage the configuration settings of one of these tools when investigating potential options to block cryptojacking. Enterprises that monitor endpoint CPU usage may also want to investigate when a system runs a CPU at 100% for an extended period.
Likewise, include in your security awareness program that end users should contact your help desk if their system abruptly slows and stays slow for an extended period. Enterprises with network security tools that inspect unencrypted web traffic can also block malicious JavaScript files from the network.
Conclusion
As endpoints get more secure, attackers are targeting humans and abusing legitimate functionality on systems for their own gain. There will always be browser exploits that run malicious code on the endpoint, and being prepared for more serious attacks is necessary in order to protect your enterprise.
Since many of the protections have not changed for several years, they should be frequently reevaluated and incorporated into your enterprise security program.