Crypto-jacking attacks have been making waves in recent months. Different to regular malware, in which the objective is typically to steal information, demand a ransom or generally cause damage, crypto-jacking attacks generally have the end goal of staying undetected for as long as possible, while stealthily stealing CPU cycles from infected computers, including mobile devices.

The reason is simple: Mining crypto-currencies has become a lucrative business. While crypto mining can be performed legitimately, bad actors are jumping on this bandwagon in order to covertly infect machines which ultimately raise their odds of gaining rewards via their mining efforts. The reason for this is because mining ultimately requires hardware (specifically CPUs and GPUs), as well as electricity. Why use your own, if you can use someone else’s without them knowing? Even just a small amount of CPU power from multiple infected machines eventually returns a multiplier that may not be otherwise gained by going it alone.  

Typical infection for end-users can occur via phishing, malvertising, third party software bundled with covert mining software, and drive-by-downloads. Web servers infected with mining scripts are typically infected using SQL injection, remote command execution, cross-site scripting and other common web application related vectors.

Common targets are typically high traffic sites which present the opportunity to infect a greater number of visitors. High powered machines that typically have high-end GPUs also make an attractive target, specifically with gaming and anything that requires 3D rendering such as animation, virtual reality and high-end graphics. Computers with lots of CPU power are also a likely target. Industries that rely on high-end processors to perform advanced mathematical calculations, statistical modelling and research, such as research, education, science and finance are just some examples.

Common practices such as ensuring operating system and browser software remains current, using an anti-virus product with the latest signatures, and using script-blockers that specifically detect crypto-mining scripts, are a starting point to reduce the likelihood of falling victim to crypto-jacking. Any organisation should be looking at adding crypto-jacking defences to their existing security capabilities. Any public-facing web server should be closely monitored and regular hardening checks should be carried out. Network monitoring plays an important role in detecting low hanging fruit, for example outbound connections to suspicious domains which may include DNS requests as well as connections via uncommon ports or encrypted protocols. Deep packet inspection can play a useful part in detecting abnormal network connections too. Monitoring of performance of key servers is also important, particularly as crypto-jacking involves attempts to steal minimal CPU cycles while remaining undetected. Physical security should also be reviewed. Access to a communication room or data centre where web servers are situated could also be a possible infection vector.