What is cryptojacking? How to detect, fix and prevent it.
What is cryptojacking?
You know Carjacking? The unfortunate situation when someone steals your car while you are waiting for a traffic light to turn green, and then uses it to rob a convenience store? Cryptojacking is the digital version of it — it’s when the hacker steals your computer’s resources and uses them to harvest cryptocurrency.
Cryptocurrencies such as Bitcoin or Monero are obtained through mining, a CPU intensive operation that consists of hashing (a cryptographic primitive). Mining is only a viable business if the cost of the computing power and electricity required to operate and cool down your systems is significantly lower than the monetary gain you get from mining. So, if you’re mining through someone else’s computers, you won’t have any costs and you’ll get all the profit.
To get the free ride, hackers modify websites and online ads to include JavaScript code that runs in the browser of anyone that is viewing the website or the ad. And that JavaScript mines for cryptocurrency while the unsuspecting victim continues browsing the web. Now the hacker is using the computing power from every visitor of your website, dutifully mining cryptocurrency for him/her. For free.
There is a second method that hackers use to deliver cryptojacking attacks: convincing the victim to install malicious code on their computer, using what looks like a legitimate email or popup that calls for some action. However, it is harder to achieve a scale effect this way since you would need to infect a large number of computers.
One attack, multiple victims
There are two types of victims when a site is abused for cryptojacking: the person viewing the modified site and the site owner.
Victims that browse a website that includes JavaScript mining code will only notice a decrease in the performance of their computer. Most victims will just think they hit another “website that makes my computer slow”. If the victim is browsing on a mobile phone, then the CPU usage increase will come with the extra cost of draining the battery faster.
But the biggest victim of cryptojacking is the website owner: the hacker was only able to place the malicious code because he/she found and exploited a vulnerability on the website. This means that the website has been hacked.
Having a mining script there is the least of problems: what if that vulnerability was also exploited to get customer data? With the new regulations like GDPR, there is a lot of pressure for companies to protect their customer data. And the consequences of not doing so could be fatal for your business.
How to detect cryptojacking code on your site?
Cryptocurrency mining requires periodically contacting a server to both get new hashes and send calculated hashes to a wallet. Therefore, looking for evidence of those communications is an excellent way to detect the malicious code hosted in your server. This technique has the advantage of being agnostic to what the malicious code looks like, however, it requires a prior identification of the servers known to be used by the mining code.
Most of the domains are widely known, such as Coinhive. They provide an easy way for anyone to deploy Monero mining code, with a hassle-free setup. Monero has the advantage of giving more privacy guarantees to the attacker than Bitcoin. Coinhive advertises themselves as a service that can provide income to a site owner, for instance, by replacing ads.
You should have your site continuously monitored for evidence of malicious code. Probely can help you here by scanning your application and looking for that evidence. It can detect the presence of more than 12 000 domains used by this code, and the list is growing steadily. You can sign up for a free trial here and start monitoring your website.
How to stop a cryptojacking attack?
As long as your site hosts malicious code, anyone visiting it will have their computer abused to mine cryptocurrency. Your first step should be to locate the malicious code and delete it, preferably by recovering the code from a clean backup or doing a new deploy. This is preferable compared to just deleting the malicious code since it puts a fresh version of the source code in the web server, cleaning any traces of the attack that you may have missed otherwise.
Removing the bad code is just the first step. You also need to find out how it got there. You should look at the web server’s log files and try to find evidence of what happened. And most importantly, you should scan your website to look for vulnerabilities and fix the one that caused the problem.
How to prevent the attack?
This is where you should invest your time and money, minimizing the chances of being attacked successfully. It is wishful thinking saying that this is a recipe to completely prevent the attack: as everything in security, the game is to raise the bar to a point that is too expensive for an attacker to attack you.
For the vast majority of times, the malicious code is embedded in the site through a vulnerability, such as SQL injection or Stored Cross-Site Scripting. You should find and fix those vulnerabilities before the attacker does.
Tools like Probely can be used by your developers to test the application before it gets deployed, thus reducing your exposure. Finding the vulnerabilities sooner in the development lifecycle will reduce the total cost of ownership of the application, especially if the tests are tightly integrated into the developer’s processes.
To complement vulnerability scanning, you should do a more thorough check-up such as a penetration test at least once a year, where a team of trained security professionals searches for more complex vulnerabilities.
Malicious insider
Saying that the root cause of the problem is a vulnerability on your site is the most likely hypothesis. But you should also consider that a trusted employee modified the website to include the malicious script for its own benefit, and I have witnessed that at least a couple of times. It is very tempting to do a quick change in one of the thousands of lines of code to add a piece of JavaScript that will get you some extra income. Especially if the site has thousands of visits daily. Having a vulnerability scanner that reports the presence of cryptojacking code, running periodically will whistle blow the code presence.
Will cryptojacking fade away?
Cryptojacking will most likely not slow down in a near future. These attacks give the malicious actor an immediate financial gain and that is a powerful driver to any attacker. So it is important that you consider this type of attack and monitor your website periodically.