In response, cryptojackers have upped their game by perpetrating more sophisticated malware-style attacks in recent months. In June 2018, an attack was discovered codenamed “Operation Prowli,” which relied on a variety of exploits. One was Secure Shell (SSH) brute forcing to initiate cryptocurrency mining. Another was redirecting web traffic for the purpose of monetization fraud. The relentlessness of cryptojackers is reflected in recent figures.
Smart cryptojackers are deploying lightweight mining algorithms that utilize enough resources to mine cryptocurrency, but not so much as to attract the notice of the victim by overheating a PC or slowing performance.
In May 2018, Monero-mining malware called WinstarNssmMiner infected half a million computers in three days. The malware was particularly nasty because it crashed users’ systems if the presence of certain antivirus software was detected.
In June 2018, Japanese authorities announced the arrests of 16 persons suspected of mining cryptocurrency without users’ permission. All but one had installed Coinhive software on the unsuspecting users’ systems. The remaining suspect installed a homegrown miner similar to Coinhive. Although the most that any of the suspects gained was small (120,000 yen, or $1,100), the fact that the suspects had not asked for permission prompted the authorities to act.
In February, employees at a nuclear weapons technology research center in Sarov, Russian Federation were arrested for surreptitiously using the center’s computers to mine cryptocurrency.
Because they might earn only a small amount of cryptocurrency from each compromised system, skilled perpetrators must devise methods to access a large number of machines, so that their efforts yield them a profit.
As attacks become more sophisticated, the preventive measures you take should escalate as well. Experts advise administrators to monitor website activity and use a web application firewall, anti-bot software and other security tools such as next-gen firewalls and intrusion prevention systems.
Also, administrators should monitor servers and endpoint devices for unusual activity – including whether they are running hotter than they should. Any cryptomining software that’s found should be a warning flag for additional malicious activity. Rather than just removing the malicious code, organizations should conduct root-cause analysis to identify how the software was installed and take steps to prevent repeat attacks.
“I expect this to continue to be an annoyance,” Westervelt predicted but cautioned against making the cure worse than the disease, since ad blocking and anti-crypto-mining browser extensions might themselves degrade end-user performance. “Enterprise IT teams should test them thoroughly and consider any disruption that they might cause to end users when browsing or accessing custom applications,” he said.