Cryptojacking is the hot new way for criminals to make money, with a recent McAfee study highlighting a 600% increase in the frequency of such cyberattacks during the first quarter of 2018 – a sure sign that cybercriminals are increasingly exploiting the digital currency technology. Barry Shteiman, VP Research and Innovation at Exabeam, shares his views on the topic.
What is cryptojacking?
Cryptocurrencies, like Bitcoin and Monero, are created by using computing energy to solve complex math problems. When a problem is solved, a new piece of currency is made. This is called mining.
While cryptocurrencies are being traded around the world, what we don’t see are the hundreds of thousands of crypto-specialised computers and servers that are ‘mining’ such currencies to release new cryptocurrency into circulation. We’re actually at the point now where Bitcoin mining centres have become the majority of the network. These are places around the world where mining takes place on a large-scale, usually where energy is either inexpensive or free.
Bitmain, a Chinese manufacturer of Bitcoin mining hardware, runs its own mining operation. Last year it pulled in between US$3 and US$4 billion in profits. There is a profit motive in cryptomining, even with a small-scale operation. Large scale cryptomining requires specialised machines that have high processing demands. Examples include ASIC miner machines with their substantial electricity appetite. But with the right software, anyone can operate at a smaller, less profitable implementation using a single laptop.
One of the significant challenges related to cryptomining is the huge amount of energy that it consumes.
Alex de Vries, a Bitcoin specialist at PwC, estimates that the current global power consumption for the servers that run Bitcoin’s software is a minimum of 2.55 gigawatts (GW), which amounts to energy consumption of 22 terawatt-hours (TWh) per year – almost the same as Ireland. Or, put another way, cryptocurrency uses as much CO2 per year as one million transatlantic flights. As a result of the massive energy consumption of mining machines, malicious actors look for ways to mine cryptocurrency without having to absorb the costs. And when cryptomining is done illegally, without authorisation, it turns into the aptly-named crime of cryptojacking. And cryptojacking has become a serious global problem.
Why does cryptocurrency consume so much energy?
Mining cryptocurrency can be CPU or GPU intensive and, therefore, power intensive. To understand how mining functions, let’s look at how the Bitcoin currency works.
Satoshi Nakamoto, the pseudonym for the anonymous Bitcoin creator(s), developed a way to exchange tokens having value online – without using a centralised system such as a bank. Instead, all transaction record keeping occurs in a decentralised Blockchain database residing on thousands of distributed machines. These comprise the Bitcoin network.
Mining computers collect pending Bitcoin transactions, known as a ‘block’, which are turned into a mathematical puzzle. Solving these mathematical puzzles is what consumes compute power. In uncovering the solution, a miner then announces it to the network. Other miners check if the sender of funds has the right to spend the money and whether the puzzle solution is correct. If enough approve, that block is cryptographically added to the ledger Blockchain and the miners move onto the next set of transactions.
The miner who originally found the solution receives 25 Bitcoins as a reward, but only after another 99 blocks have been added to the ledger – hence, the incentive for miners to participate and validate transactions.
Who could be mining cryptocurrency inside your organisation?
Within an organisation, we categorise the potential threats in four buckets:
- The malicious insider– This may be someone who has access to high-performance computing systems and logs on during the evening to engage in cryptomining. The scenario might even involve this person receiving kickbacks to participate
- The compromised insider– This can occur when someone unwittingly succumbs to a phishing scam, clickbait or a drive-by (where software is downloaded for surreptitious cryptomining). Or where an employee inadvertently downloads free software that might not disclose that it performs cryptomining on the back-end. There are video streaming sites and file sharing networks that have allegedly been cryptojacking users’ computers (as has a free Wi-Fi provider in an Argentinian Starbucks)
- The rationalising insider– Here an individual downloads small-scale, cryptomining or cryptojacking software they intend to run when their machine is idle. This miner rationalises that it’s ok to use their machine to generate money when it’s not in use
- The malicious outsider– Similar to a DDoS attack, which uses a server or service vulnerability, a hacker can hijack an entire connected infrastructure to develop a distributed cryptomining operation. Since not a lot of traffic is generated, and servers in data centres are expected to have a fairly high load, these hijacks may go unnoticed for a long period of time
Can you share some examples of cryptojacking in action?
After its utility bill skyrocketed over 40%, a Florida Department of Citrus (FDC) employee was arrested in March for allegedly using its computers to mine cryptocurrencies. The employee also allegedly used department funds to purchase 24 graphic processing units (GPUs) totalling nearly US$22,000. GPUs are often used for cryptomining because they can crunch numbers faster than systems using conventional CPU chips. It happened recently to Tesla too, after a Kubernetes console was left unprotected. The risk here is not of data theft but of IT downtime, hardware burn-out, productivity losses and rising energy bills.
We know that cryptomining can use a tremendous amount of energy. But how much of your organisation’s power could cryptominers potentially be using and how much would it cost?
The answer is difficult because it depends on many variables. Determining how many machines are being utilised is a start. However, not all machines consume the same amount of power; which depends on the type and number of CPUs and whether they are using GPUs. It also depends on how often and intensively they are being used. Add in the cooling costs and it’s a complicated equation.
The best thing organisations can do is look for anomalies in their bills and, if seen, start looking for suspicious activity.
What should you look for?
Cryptomining creates a significant deviation in pattern and velocity. Look for a sudden change in capacity or use, as well as for an abnormal executable. For example, consider the sudden night time appearance of an odd executable in an environment that usually only runs EXCHANGE.EXE or NTDS.EXE. This should be flagged as abnormal. Or, consider a machine, ordinarily only operating during daytime hours, that is suddenly running 24×7.
A few straightforward ways to detect such irregular behaviours is to learn what sort of processes and connections servers create with outbound access (to connect to mining pools etc) and modelling the normal behaviours.
The same goes for server capacity and utilisation. In a production environment, there are certain benchmarks that IT performs to ensure proper service is maintained – deviation from these benchmarks may be an indicator of capacity abuse. An emerging technology called entity analytics can automate detection by baselining normal machine behaviour and highlighting the anomalies.
With the value of cryptocurrency increasing, and the less power intensive currencies still nascent, malicious actors appropriating machines for profit will most likely be around for a while.