According to an alarming new report from Guardicore Labs, as many as 50,000 servers worldwide have been infected with the Nansh0u cryptomining malware. The attack targeted Windows MS-SQL and PHPMyAdmin servers, primarily in the healthcare, IT, media and telecom industries. These industries were likely targeted because they tend to have more powerful servers.
As the use of cryptocurrency has increased, cryptomining has grown up alongside it. It involves coming up with the right 64-digit hexadecimal number (called a “hash”) in order to verify the authenticity of cryptocurrency transactions and update the blockchain with the transaction details. The first cryptominer to do this successfully gets to authorize the transaction and is paid a small amount of cryptocurrency.
There are two problems with cryptomining: First, generating the hash quickly requires some pretty sophisticated computer hardware, with a graphical processing unit (GPU) or specialized chip. That kind of machine generates a lot of heat, so you need some form of cooling. You also need cryptomining software, membership in a cryptocurrency exchange and online mining pool, and a good Internet connection.
All of that to make a couple of bucks a day.
Smart (if unscrupulous) cryptominers have figured out that you can be more successful if you take advantage of (steal) someone else’s computing resources without their knowledge or consent. This has given rise to a threat known as “cryptojacking,” in which hackers gain unauthorized access to a user’s device in order to mine cryptocurrency.
Malware is used to force devices into cryptomining service. Some hackers use phishing emails to trick users into clicking malicious links or opening files that automatically load cryptomining code onto the device. Another method is to inject a script on a website or ad that is automatically executed when the user visits that website or sees that ad. The Nansh0u attackers used a brute force “credential stuffing” attack in which they broke into servers with common credentials.
Cryptojacking attacks are exploding as hackers find it more lucrative and less risky than ransomware. According to the 2019 IBM X-Force Threat Intelligence Index, the number of cryptojacking attacks more than quadrupled in 2018, outpacing ransomware attacks two to one.
Cryptojacking doesn’t require much in the way of technical skills and it’s very profitable. Unlike ransomware, which relies on victims to pay the ransom in order to monetize the attack, cryptojacking continuously generates money from every victim’s device. Cryptomining code just sits there in the background, quietly doing its work. It’s difficult to detect and even harder to trace to its origin.
The only warning sign of cryptojacking for the average user is system performance degradation, which points to the larger problem for businesses. Cryptojacking drains system resources and can stress CPUs and GPUs, which can cause devices to fail prematurely. Smaller devices may overheat. Cryptojacking also increases energy consumption and consumes network bandwidth.
To avoid cryptojacking, the first step is to let people know it exists. It needs to be part of security training, so that users are aware of the symptoms. Organizations also need to install anti-cryptomining extensions on their browsers or even ad blockers to prevent exposure to infected ads.
Look for endpoint protection and antivirus software that can detect cryptomining scripts. Maintain your browser extensions and update your web filtering tools regularly to account for new threats. And make sure your IT team and help desk staff stay abreast of cryptojacking trends so they can better identify and respond to attacks.