Security Trends/Attacks
Arctic Wolf Networks

The Rising Risks of Cryptocurrency-Mining Malware

Do you own any Bitcoin (BTC)? The world’s most famous cryptocurrency had a banner year in 2017, with prices surging to all-time highs (above $19,700 per BTC) in late December. While it was designed as an alternative currency, BTC has become more akin to gold – i.e., a store of value, although with a more volatile price.

Cryptocurrency Mining and Malware: An Inevitable Pairing

The rising value of BTC and other cryptocurrencies has been a bonanza not only for early adopters, but also for cybercriminals seeking to exploit the uniquely structured networks underpinning these new commodities. The incentives are obvious: In the short term and perhaps longer, illicitly obtained digital currencies can be sold for considerable sums, while the vast computing power pooled for mining them potentially fuels the creation of a powerful botnet.

Cryptocurrency-specific malware, which has recently become more prominent, typically targets the so-called “mining” process necessary to obtain BTC and its many imitators. Mining makes a unit of currency available, but only after key requirements are met:

  • Nodes in the network must solve increasingly complex cryptographic problems to extract new units.
  • These solutions are documented in proofs-of-work that are community approved and then added in blocks to a public digital chain (the “blockchain”)

Solving and submitting these proofs requires enormous amounts of computing power and electricity. To that end, the latest malware seeks to enlist unwitting device or platform owners into supplying their collective CPU/GPU processing cycles for mining.

Coinhive and Other Cryptocurrency-Specific Threats

The java-based program Coinhive is a good indicator of the current threat landscape. It resembles similar programs, such as BitcoinPlus, that were developed years ago when cryptocurrencies were in their earliest stage and less valuable; however, it has superior reach and a better delivery mechanism.

Bitcoin and other cryptocurrencies greatly increased in value in 2017.Bitcoin and other cryptocurrencies greatly increased in value in 2017.

Already blacklisted by several anti-malware solutions, Coinhive hides itself on websites and–using unwitting visitors’ processing power–furtively mines in the background for Monero currency, which has far less technically demanding requirements than BTC. Users of services from The Pirate Bay to Showtime Anytime have had their CPUs harnessed for Monero mining without their knowledge or consent, underscoring Coinhive’s scale and stealthiness.

Coinhive, and similar scripts like Crypto-Loot and JSECoin, emerged as cryptocurrencies became more popular. Security vendors and makers of ad-blocking software have responded accordingly, while warning of a digital arms race in cryptocurrency-focused programs.

It’s debatable whether Coinhive fits the usually understood definition of malware, since many sites simply use it as an alternative to advertising and don’t extract any data or direct payment from end users. Yet, such programs represent an ever-present danger in their potential to commandeer computing power and hijack the numerous devices producing it.

What’s Ahead for Secretive Cryptocurrency Mining

So far, the actual harm inflicted by Coinhive et al. pales in comparison to exploits such as ransomware with strong encryption. That could change, for three primary reasons:

  • There is evidence, according to Vice, that a new version of Mirai, the Internet of Things botnet with thousands of infected machines, is being used for mining; another botnet was discovered in May 2017 exploiting the same EternalBlue flaw critical to the WannaCry ransomware
  • Between the rise of many new cryptocurrencies–such as Monero–with lower barriers to entry than BTC and the emergence of the Internet of Things, there will likely be greater demand for digital currency, along with more computing power to meet it
  • Financial institutions and markets have increasing ties to cryptocurrencies; BTC futures recently became tradeable on the Chicago Mercantile Exchange, sparking anxieties about exposure that could be influenced by hacks and malware infections

Imagine having your corporate network taken up by a crypto-miner program consuming the bulk of all available computing power. You would lose access to networked resources and experience sluggish performance, and your systems would possibly contribute to a speculative bubble in the cryptocurrency in question. Participation in distributed denial-of-service (aka DDoS) attacks and automatic subscription to unwanted paid services are additional possibilities.

Defending against cryptocurrency malware is really about protecting your network from unwanted intrusions of all kinds. Given the rapid evolution of today’s threats, a simple security information and event management (SIEM) platform is not enough for scalable, comprehensive and cost-effective defense.

What is ultimately needed is a security operations center (SOC) staffed by security experts who can monitor all IT infrastructure 24/7 and triage alerts. A cloud-based SOC-as-a-service offering makes such protection a reality for small-to-midsize enterprises as it deploys quickly and easily, and is affordable with predictable, subscription-based fees. Learn more by reading this white paper.