The short, precise answer to ‘what is cryptojacking?’, is that it’s how criminals can make big bucks from your company network. Leaving a trail of dead batteries and burnt-out hardware, here’s the profile of a crypto parasite.
Legitimate Cryptomining
Cryptocurrency is ‘created’ through a process called mining. This is where complex math problems are split down into bite-sized chunks, and distributed across millions of devices. Computer processors then flex their power, allocating a small amount of the user’s CPU to solve these equations.
However, a currency that can be continuously created and duplicated at will is no basis for a system of value. Whereas traditional currency uses banks - an institution that regulates its flow, and ultimately its value, mining is inherently a decentralized system. No single authority model could work. This restricted cryptocurrency’s takeoff for years, as there was no guarantee of verification.
Finally, Satoshi Nakamoto invented the blockchain. This defines cryptocurrency architecture and - put simply - verifies that each completed mathematical problem is linked to the last.
Picture it as setting the currency out in one long, connected line of blocks. Each block is worth 6.25 Bitcoin, for example. To unlock a new block your computer needs to solve a complex equation: this validates the block, and adds it to the chain.
These blocks are set one after another; you can’t just pick one at random.
Just as a bank either increases or decreases the amount of cash printed to maintain its value, PoW guarantees the sustained value of a cryptocurrency by making sure excessive mining does not take place. It does this by scaling the difficulty of each subsequent block.
This process is termed Proof of Work. In a sense, each miner is verifying their own purchase through the successful computation of each complex formula. Once this is achieved, it is added to the link, and the next block is released.
How Monero Hides It
Even though Bitcoin is decentralized, it is not private. Transactions and purchases are all kept publicly available, and every wallet has a unique identifying code. Monero, however, is a cryptocurrency that is both decentralized and private. Mined in much the same way as Bitcoin, Monero transactions remain 100% private and untraceable.
Bitcoin is non-fungible. As every single transaction has a corresponding code, everyone can verify which transactions have taken place on the Bitcoin network. This means that one bitcoin cannot be replaced by any other. Since previous transactions of a Monero coin are entirely hidden, however, Monero is fungible. Much like IRL cash, each coin is considered equal and interchangeable with another.
Heavy Duty CPUs
At the current complexity level of Bitcoin’s blockchain, full-time legitimate crypto miners are using pieces of kit far more powerful than the average PC.
Bitcoin is primarily mined by special dedicated machines called ASICs; these work on specific mathematical formulas called the SHA-256 algorithm. Apart from these, there are hundreds of algorithms which can be mathematically solved with CPUs and GPUs.
Computational power is measured in hashrate per second when mining cryptocurrencies. This is the speed of cyber mining. Mining machines with higher hash rates are fast and can process large quantities of data in a single second.
Power Devourers
This higher computational power comes at a cost: it requires incredible amounts of electricity. All of that power laps up electrical supply, and one study found that it takes an average of 143,000 kWh of energy to produce one bitcoin. That’s the daily electrical usage of almost 5,000 US households.
The electrical consumption of the entire network is even more jaw-dropping: Bitcoin’s network uses an average of 128 GWh of electricity per day.
Cryptojacking
Instead of relying on individual powerhouses, it’s possible to cash in on the lucrative Monero market via quantity over quality. This makes cloud environments - ubiquitous across businesses nowadays - the perfect target. Now, you get to shoulder the monstrous electricity bill!
Unsecure routers paved the way for the first major cryptojacking wave in 2018.
Here, Mikrotik routers were shipped across the globe with zero-day vulnerabilities that went unpatched for months. The attackers - having accessed the admin password from a published proof-of-concept - simply replace a file called error.html. This was originally transmitted by Mikrotik’s web proxy whenever a HTTP error occurred. Instead of the error page, however, the router would now load a web page that downloaded the CoinHive crypto mining software.
Fortunately, this was a relatively painless exploit. The worst users could expect were their laptop fans kicking it up a notch whenever the router loaded a blocked or inaccessible web page.
However, it marked the start of an era.
The following cryptojacking giant was PowerGhost. This was a fileless attack that - having gained access to a company’s infrastructure - would gain login information through the data extraction tool Mimikatz. It would then gain access to user accounts via the remote admin tool Windows Management Instrumentation, and start utilizing their computing power.
Tesla’s Amazon Web Service Cloud became inundated with cryptojackers in 2018, as did Aviva and Gemalto.
Attackers have since become sneakier, concealing their activities from conventional firewall and intruder detection systems by throttling their mining software - this ensures that it doesn’t trigger automatic high-usage-detection systems.
Protecting from Parasites
Thankfully - despite their best efforts - cryptojackers can be fairly self-evident.
If you suddenly experience snail-speed system performance - or devices that run slowly, and crash often - then it could be worth giving your system a quick deworming.
Cryptojacking scripts are overwhelmingly deployed in web browsers. Browser extensions such as No Coin, minerBlock, and Anti Minder are simple but effective in keeping these at bay.
A decent Web Application Firewall - which should be in the cybersecurity arsenal of any company - would stop a cryptojacker in their tracks. A WAF works by monitoring an app’s perimeter, and only allowing whitelisted or non-blacklisted HTTP requests to be fulfilled. The difference between the two approaches are vital to staying safe, especially on an internal-facing application.
Whereas blacklisting offers basic protection from known threats, whitelisting allows only HTTP requests that you know are safe. This could mean the difference between smooth-running systems and extortionate electrical bills.
