Happy anniversary, Coinhive! One year ago, March 2018, you were named #1 threat. Coinhive, a legal cryptomining service that allowed for the install of a Monero cryptocurrency mining capability on computer browsers, was named by multiple cybersecurity firms as the number one malicious threat to internet users. Coinhive achieved top spot due to the propensity for its computer code to be cryptojacked, covertly installed on hacked websites to pilfer the computer processing power of the hacked website’s visitor’s devices. A year later, thanks to cryptocurrency Monero’s plunge in value, Google’s ban on cryptomining browser extensions in Chrome, and Apple banning cryptomining apps from the app store, cryptomining service Coinhive is calling it quits.
We at ISA say good riddance, one less hackable headache for this cybersecurity solutions firm. Coinhive’s departure from the world of cryptomining and cryptocurrency is indicative of other cybersecurity trends noted by Symantec Corporation and ISA partner McAfee in recent cybersecurity reports.
Cryptomining, cryptojacking and cryptocurrency are all on the decline
As 2019 marches towards Spring, both the snow and cryptomining appear to be declining. The drop in the value of cryptocurrency is most likely a primary reason for cryptomining’s decline. In March 2018, the cryptocurrency Monero was trading at $342 (USD) per coin. Now, Monero is worth less than $50 (USD). That’s a significant depreciation of cryptocurrency in just one year.
Cryptocurrency Bitcoin, Ripple’s XRP and Ethereum are all facing similarly sharp devaluation. Cryptomining’s decline may be that the devaluation of cryptocurrency has made it so that cryptomining no longer garners enough profitability.
Malicious cryptomining and cryptojacking
Cryptomining done illegally or maliciously is known as cryptojacking.
To seriously venture into cryptomining for cryptocurrency, someone is looking at setting up hundreds, or potentially thousands, of high-powered computer servers. That would typically mean renting space in a data centre where electricity is inexpensive, and cooling is simple.
Alternatively, you can cheat. Cryptojacking is cheating.
A hacker locates a vulnerable website and hides malicious cryptojacking code. A corporate user logs onto the site, not knowing it is corrupted. That unsuspecting user is now the processor power for the cybercriminal to mine for the cryptocurrency – as long as that user’s web browser is open, the criminal benefits. The only sign the user might notice is slightly slower performance or lags in task execution. Harnessing the power of the user’s machine the cybercriminal performs computation required to update blockchain and release new cryptocurrency. The mined cryptocurrency is deposited into the virtual wallet of the cybercriminal, while the cost of cryptomining, electricity, and the computer hardware’s wear become your organization’s problem.
If cryptomining is on a downswing, then so is cryptojacking. Down, but as Symantec and McAfee both point out, not out. Once a go-to money-maker for cybercriminals, malicious cryptomining and cryptojacking have declined as cryptocurrency gives diminishing returns. “With a 90 percent plunge in the value of cryptocurrencies, cryptojacking fell 52 percent in 2018.” However, cryptojacking remains popular due to minimal overhead and a low barrier of entry.
It’s not just laptops and supercomputers that are at risk for malicious cryptomining. Hackers are using malicious code to use your portable devices, smartphones and tablets, to add blockchain entries to cryptocurrencies. There are malicious cryptomining apps that can damage your smartphone. Some of these apps consume vast amounts of processing capacity and are causing phone batteries to swell (sometimes so much that it breaks the phone’s back cover) or causes the processor to overheat to the point of implosion.
Android-based devices are a leading target. Infecting your entire environment is the latest in cryptojacking techniques meaning it can start on your phone, but then jump to your tablet and smart TV. McAfee reported that some malicious apps, like “ADB Miner, are spreading through a publicly accessible port via the Android Debug Bridge (ADB).”
In 2018, the number of cryptomining mobile apps grew substantially. Cybersecurity researchers found more than 600 malicious cryptocurrency apps in twenty different app stores. In June of 2018, Apple changed its developer guidelines banning cryptomining apps completely on its devices, including apps that overtax the device. Google followed suit shortly after enacting a similar ban for Google Play apps.
Raj Samani, McAfee Fellow, Chief Scientist said that “Recently we have seen the see-saw between ransomware vs cryptomining tip the balance toward extortion. However, rather than focus on the ups and downs of cryptomining which will likely show fluctuations in line with the price of various currencies, we need to acknowledge that cryptomining is very much an active threat vector on the mobile platform.” As a result of the decline in cryptomining and cryptojacking, cybercriminals may resort to various forms of mobile ransomware as a more reliable revenue source, so be aware that mobile ransomware may be on the upswing and prepare your cybersecurity defences accordingly.
Protecting yourself from cybercriminals with sound cybersecurity
Cybersecurity threats are volatile, as cybercriminals follow the money. If there is a sudden influx in cryptocurrency value, then a resurgence of cryptomining, and therefore cryptojacking will follow in short order.
Cybersecurity 101: Protecting against cryptojacking:
Cryptojacking needs to be part of a staff cybersecurity education program. With particular focus paid to phishing-type attempts wherein the cryptojacking scripts would load directly onto the user’s computer from a bad link. Marc Laliberte, a threat analyst at WatchGuard Technologies, believes that phishing remains the primary method to deliver malware. Laliberte says, cybersecurity “Training will help protect you when technical solutions might fail.” Although, employee cybersecurity education does little to assist with auto-executing cryptojacking from visiting legitimate websites.
Ensure your company has an ad-blocking or anti-cryptomining extension installed on all browsers as part of a layered cybersecurity solution.
Use endpoint cybersecurity antivirus software that has crypto miner detection.
Keep all web-filter tools current. If an employee accesses a website that is delivering cryptojacking scripts, ensure users are blocked from that site in the future.
Use a mobile device management solution to better control personal device usage as part of a robust cybersecurity approach.
Of course, none of these protective cybersecurity measures are foolproof. Cryptojackers are continually changing their attacks to bypass endpoint security. The saving grace with cryptojacking is that the hackers don’t want your company’s data. Cybersecurity solutions provider, ISA, can help ensure your organization puts up its best cybersecurity defence against malicious cryptomining.
Cybersecurity 101.1: How do you know if cryptojacking has taken root?
Cryptojacking can affect your organization and detecting cryptojacking can be difficult, especially if only a few systems in an extensive network are compromised. Do not depend on your existing endpoint cybersecurity tools to stop cryptojacking. “Crypto mining code can hide from signature-based detection tools,” says Laliberte. “Desktop antivirus tools won’t see them.”
Here are some ways to detect cryptojacking:
Watch for influxes in help desk complaints about slow computational performance and overheating systems.
Employ network monitoring tools as part of cybersecurity hygiene. Laliberte says, “Network perimeter monitoring that reviews all web traffic has a better chance of detecting cryptominers.”
Monitor your website for any cryptomining code to ensure you’re not a carrier.
Stay current with malicious cryptomining and cryptojacking threat trends. Travis Farral, director of security strategy at Anomali, says “A savvy organization is going to stay abreast of what’s happening. If you understand the delivery mechanisms for these types of things, you know this particular exploit kit is delivering crypto stuff. Protections against the exploit kit will be protections against being infected by the cryptomining malware.” Having strong cybersecurity means continuously evolving.
Cybersecurity 101.2: Respond to a cryptojacking attack
You’ve been hit with a cryptojacking attack, here’s what you do:
For in-browser JavaScript attacks its an easy fix. Kill the browser tab. Block the website. Deploy anti-cryptomining cybersecurity tools to avoid future attacks.
Learn from the experience and adapt your cybersecurity practice. Similar to a cybersecurity incident response plan, once an attacker has compromised your system, learn about your network vulnerabilities and then better fortify your system.
Talk to a cybersecurity solutions provider about ensuring you have adequate cybersecurity practices in place and about developing a cybersecurity incident response plan.