Blog

Bitcoin may be down, but it’s far from out – and the charts of many of the over 1,000 cryptocurrencies listed at Bitinfocharts show wild jumps in value. Bitcoin, by far the most popular cryptocurrency, has fluctuated hundreds of percent since the beginning of 2017. Currently valued at over $6,000 apiece, Bitcoin is still plenty profitable for those who bought in early.

It’s also profitable for hackers, who have jumped on the bandwagon – and are creating their own Bitcoins and cryptocurrencies, using the techniques required to mine new coins: the solving of complicated mathematical equations, which require deploying large numbers of computers. The more computing power, the more coins that can be produced.

To access that computing power, hackers harness the power of dozens, hundreds, or even thousands of computers, taking over their processors during idle times. Using malware to install remote command and control software on systems, hackers are able to take over entire networks, stealing computing power – and the electricity needed to run the computers – to mine coins. It’s called cryptojacking, and victims may not even realize what’s going on – until they get their power bill.

It’s nothing more than outright theft. By hijacking victims’ computers and processors, the hackers can sit back and reap the proceeds of the work done by the computing power they are stealing. This activity increases victims’ electricity expenses, may affect user experience as computer performance is negatively impacted, and could cause down time of hijacked servers.

How do hackers compromise the computers of their victims? The easiest way for them to achieve this is from websites, via users’ browsers. These websites contain javascript code, which browsers execute as soon as the site is visited. As long as the site is open in the browser, the code can continue mining currency. Some sites do this intentionally; in fact, a company called Coinhive offers this as a service to websites. Officially, sites are supposed to require user approval – for example, as an alternative to advertisements – and some do. As could be expected, many more sites take advantage of users without their knowledge. In other cases, websites are infected without their owners’ knowledge.

This method of cryptomining delivery is a relatively minor worry, since it’s not persistent. If your browser is consuming high CPU because you visited a site running Coinhive or other mining code, all you need to do is leave the site or close your browser. You can also proactively prevent the mining, by simply installing a coin mining blocker extension in your browser. A much more significant danger is posed when Cryptomining code is actually installed on your system.

Cybercriminals are using advanced methods to insert persistent currency mining code into victims’ systems, including organizational servers and networks. Some of the sophisticated attack vectors formerly used to deliver ransomware, such as EternalBlue and other exploit kits, are now being used to deliver cryptojacking malware. Sometimes it’s by attaching malware to email messages, and using advanced phishing and other social engineering tactics to persuade victims to open attachments in email messages that contain that malware.

If organizations haven’t been able to prevent these attacks, it’s not for lack of trying. Companies have tried threatening, cajoling, begging, and educating employees in attempts to discourage them from being taken in by phishing scams. To no avail; there are more malware attacks than ever. Short of shutting down email, is there anything organizations can do to prevent employees from becoming victims – and becoming unwilling recruits in a hacker-sponsored coin mining operation?

One proven solution involves setting up an endpoint containment system that isolates externally-sourced content – including any malware that could be downloaded or attached to email messages from outside the organization. The container keeps risky items away from users’ native endpoints and, by extension, from the internal network, while allowing the flow of work to proceed.

How does this work? Attachments and downloads are kept in a virtual container – a secure environment where content from any potentially risky source, including internet browsers, removable media and external email messages, is accessed. The data itself is visible, but any malicious code it may contain is barred from the system. For cases where users do need to move the data onto the native endpoint or organizational systems – a Content Disarm and Reconstruction (CDR) system is deployed, so users can opt to bridge the content from the container. Periodically, the container is wiped clean. With a system like this, organizations can ensure that crypto-hackers are kept out of their systems and networks.