Anti-Cryptojacking Test - July 2019

Cryptojacking or malicious cryptomining is a new type of threat that can be described as the unsolicited use of a user’s computing device to mine cryptocurrency. There are two types of cryptojacking attack: general-purpose and targeted.

In a general-purpose attack, cryptominer is installed on the infected device typical as a result of a mass spam campaign that leveraged social engineering techniques to established a foothold on a victim’s machine. Alternatively, such attacks may end up in ransomware delivery. Typically, Trojan-Downloaders once executed on a user’s machine check for the number of CPU/GPUs and, if there are two or more of them, malware gives favor to the installation of cryptomining software.

For example:

• Jan 2018 - a malicious Monero cryptominer called Smominru (a.k.a. Ismo) spread using the EternalBlue exploit (CVE-2017-0144) and managed to earn 8,900 Monero which was an equivalent of approximately $3M.
• Jan 2018 - Monero and Electroneum miners were distributed using RIG EK via the installation of SmokeLoader malware.
• Feb 2018 - Trickbot, delivered through mass spam campaign, added the Monero cryptomining module.

On the contrary, in the case of a targeted attack, criminals search for ways to get access to corporate environments, mostly located in the cloud, with the high computational capacity to mine cryptocurrency at the expense of the compromised tenant. One of the common ways attackers get access to a corporate cluster in the cloud is searching for secrets such as keys, logins, and passwords that have been mistakenly published by engineers in configuration files to the public code repository services such as Github and Gitlab. Attackers use for that purpose the secrets crawlers, for example, TruffleHog. Another is scanning the Internet for exposed due to misconfiguration machines using the Shodan vulnerability and exposure scanning service.

Examples of targeted cryptojacking attacks:

• Oct 2017 - A security flaw in Oracle’s WebLogic Server (CVE-2017-10271) allowed attackers to install miners at universities and research institutions.
• Feb 2018 - Tesla's Amazon Web Services (AWS) account exposed, and hackers deployed cryptocurrency mining software called Stratum to mine cryptocurrency using the cloud's computing power.
• Feb 2018 - CheckPoint said that attackers made more than $3 million by mining Monero on Jenkins exploiting CVE-2017-1000353.
• Sep-Oct 2018 - The misconfiguration in Docker API led to deploying the Monero cryptominer at targets’ environments in China, the United States, France, Germany, and the United Kingdom.

Malicious cryptomining could be also run in the Internet Browser using the Coinhive API, which was recently shut down due to misuse. While this technique is not malicious itself, but running it without the user’s consent made it illegal.

Therefore, we as well as many other security vendors consider cryptominers as Potentially Unwanted Software (PUS) and decided to test enterprise anti-malware solutions against them.

Read the full report by the link.