What is cryptojacking? How to detect, fix and prevent it.
What is cryptojacking?
You know Carjacking? The unfortunate situation when someone steals your car while you are waiting for a traffic light to turn green, and then uses it to rob a convenience store? Cryptojacking is the digital version of it — it’s when the hacker steals your computer’s resources and uses them to harvest cryptocurrency.
Cryptocurrencies such as Bitcoin or Monero are obtained through mining, a CPU intensive operation that consists of hashing (a cryptographic primitive). Mining is only a viable business if the cost of the computing power and electricity required to operate and cool down your systems is significantly lower than the monetary gain you get from mining. So, if you’re mining through someone else’s computers, you won’t have any costs and you’ll get all the profit.
There is a second method that hackers use to deliver cryptojacking attacks: convincing the victim to install malicious code on their computer, using what looks like a legitimate email or popup that calls for some action. However, it is harder to achieve a scale effect this way since you would need to infect a large number of computers.
One attack, multiple victims
There are two types of victims when a site is abused for cryptojacking: the person viewing the modified site and the site owner.
But the biggest victim of cryptojacking is the website owner: the hacker was only able to place the malicious code because he/she found and exploited a vulnerability on the website. This means that the website has been hacked.
Having a mining script there is the least of problems: what if that vulnerability was also exploited to get customer data? With the new regulations like GDPR, there is a lot of pressure for companies to protect their customer data. And the consequences of not doing so could be fatal for your business.
How to detect cryptojacking code on your site?
Cryptocurrency mining requires periodically contacting a server to both get new hashes and send calculated hashes to a wallet. Therefore, looking for evidence of those communications is an excellent way to detect the malicious code hosted in your server. This technique has the advantage of being agnostic to what the malicious code looks like, however, it requires a prior identification of the servers known to be used by the mining code.
Most of the domains are widely known, such as Coinhive. They provide an easy way for anyone to deploy Monero mining code, with a hassle-free setup. Monero has the advantage of giving more privacy guarantees to the attacker than Bitcoin. Coinhive advertises themselves as a service that can provide income to a site owner, for instance, by replacing ads.
You should have your site continuously monitored for evidence of malicious code. Probely can help you here by scanning your application and looking for that evidence. It can detect the presence of more than 12 000 domains used by this code, and the list is growing steadily. You can sign up for a free trial here and start monitoring your website.
How to stop a cryptojacking attack?
As long as your site hosts malicious code, anyone visiting it will have their computer abused to mine cryptocurrency. Your first step should be to locate the malicious code and delete it, preferably by recovering the code from a clean backup or doing a new deploy. This is preferable compared to just deleting the malicious code since it puts a fresh version of the source code in the web server, cleaning any traces of the attack that you may have missed otherwise.
Removing the bad code is just the first step. You also need to find out how it got there. You should look at the web server’s log files and try to find evidence of what happened. And most importantly, you should scan your website to look for vulnerabilities and fix the one that caused the problem.
How to prevent the attack?
This is where you should invest your time and money, minimizing the chances of being attacked successfully. It is wishful thinking saying that this is a recipe to completely prevent the attack: as everything in security, the game is to raise the bar to a point that is too expensive for an attacker to attack you.
For the vast majority of times, the malicious code is embedded in the site through a vulnerability, such as SQL injection or Stored Cross-Site Scripting. You should find and fix those vulnerabilities before the attacker does.
Tools like Probely can be used by your developers to test the application before it gets deployed, thus reducing your exposure. Finding the vulnerabilities sooner in the development lifecycle will reduce the total cost of ownership of the application, especially if the tests are tightly integrated into the developer’s processes.
To complement vulnerability scanning, you should do a more thorough check-up such as a penetration test at least once a year, where a team of trained security professionals searches for more complex vulnerabilities.
Will cryptojacking fade away?
Cryptojacking will most likely not slow down in a near future. These attacks give the malicious actor an immediate financial gain and that is a powerful driver to any attacker. So it is important that you consider this type of attack and monitor your website periodically.