When reporters asked the infamous bank robber Willie Sutton why he robbed banks he allegedly replied, “because that’s where the money is”. It was only a matter of time that cybercriminals, specifically, ransomware extortioners, started to target their currency of choice, Bitcoin, as a means of gaining wealth. If Willie Sutton was living today, he would probably be a cryptojacker in cyberspace, launching cryptojacking attacks and cryptomining assaults on cryptocurrency firms.
By Zachery S. Mitcham, MSA, CCISO, CSIH, VP and Chief Information Security Officer, SURGE Professional Services-Group
What is it?
Simply put, cryptojackers attack enterprise technological systems with the goal of leveraging their computer resources to launch cryptomining assaults on cryptocurrency firms. Graboid, PowerGhost, Badshell, MinerGate, and Prometei are all well know cryptojacking variants that intruders use to capitalize on the resources of the enterprise and personal systems with the intent of conducting cryptomining of popular cryptocurrencies.
How does it work?
Cybercriminals surreptitiously gain access into enterprise or personal computer systems and inject malicious computer code onto them. No systems are safe from cryptojacking. Cloud-based, file-based, and browser-based systems have all been known to have been affected by cryptojackers. The method of choice used by the intruder to introduce the code onto a system is by way of phishing attacks in various forms. Once the code’s payload is applied to the system it behaves similarly to a technological parasite, much like a tick on a dog or a leach on a host. The injected code works in the system background undetected. The preferred code used by the intruder is usually a polymorphic, zero-day, advanced persistent malware deployed as a rootkit.
The intent of the code is not to harm the host, rather hijack its CPU resources in order to launch attacks on other computer systems particularly cryptocurrency targets. Cryptojackers view crypto mining of cryptocurrency as less risky than ransomware in that cryptocurrency firms do not have the same emotional public and law enforcement support as does traditional brick and mortar enterprises that directly affect their everyday lives as was the case with the ransomware attack on the colonial pipeline causing a major consumer panic.
How do I know If my system is affected?
The degraded performance of your system could be an indication that its resources are being used to conduct unwitting cybercriminal activities. Traditional methods used to detect common vulnerabilities such as antivirus protection and popular vulnerability scans are ineffective when it comes to detecting Cryptojacking malware. Network monitoring tools are more effective in detecting Cryptojacking activities in that they reveal increased and unexplainable CPU usage that could possibly cause endpoint failure due to overheating as a result of the increase in usage. Utilizing various network monitoring tools such as Simple Network Management Protocol tools in tandem with Security Information and Event Management tools configured to detect changes within an enterprise technological network, servers and endpoints will be beneficial in the quest for discovering Cryptojacking within your organization.
How can I protect my system against cryptojackers?
- Both non-governmental organizations (NGOs) and government organizations (GOs) can avoid becoming unwitting accessories to cybercrime by implementing the NIST 800-207 Zero Trust framework throughout their enterprise. The Zero trust framework focuses on three primary areas of enterprise computing operations: the user, the device, and the application. Computer systems at their inception were designed to be collaborative in nature and therefore did not focus much on security. In 1988 that paradigm shifted with the introduction of the Morris Worm. Zero Trust now becomes the default, with the idea that the device, the user, and the application cannot be trusted, even when they have been vetted and confirmed as being a legitimate component of the enterprise’s network. The user’s identity and authentication coupled with the authentication of the device and application access controls are the foundation of this model. Zero trust forces administrators to approach every component of their network as possibly being compromised and therefore require stringent policies and configurations that must be met in order to allow them to operate within its schema. Network segmentation and sensitive data compartmentalization, irrespective of where the system computing occurs or resides, whether it be in the cloud, or on-premise, are treated in the same manner. When all of these conditions are met then, and only then will the device, user, or application be allowed to operate freely within the network given audit trails and constant monitoring.
- Information security awareness education and training are of paramount importance in combatting Cryptojacking. The enterprise must create a culture of security that is ubiquitous throughout the organization. Everyone in the enterprise has a role to play in protecting the organization’s technological assets from the Board of Trustees, Senior Management to the frontline operational staff. Again, this culture must be pervasive throughout the organization.
- Newer endpoint protection products are now capable of detecting and isolating some of the most popular Cryptojacking variants. The enterprise must invest in outfitting its computer systems with robust endpoint protection.
The long and short of it is that cybercriminals do not have to comply with any rules, regulatory compliance mandates, or standards. Their tactics to disrupt, destroy and manipulate organizations technological system operations are ever-evolving. Therefore, the enterprise must be ever vigilant in the safeguard of their technological resources.
Stay alert! Stay Alive!
About the Author
Zachery S. Mitcham, MSA, CCISO, CSIH is the VP and Chief Information Security Officer at SURGE Professional Services-Group. He is a 20-year veteran of the United States Army where he retired as a Major. He earned his BBA in Business Administration from Mercer University Eugene W. Stetson School of Business and Economics. He also earned an MSA in Administration from Central Michigan University. Zachery graduated from the United States Army School of Information Technology where he earned a diploma with a concentration in systems automation. He completed a graduate studies professional development program earning a Strategic Management Graduate Certificate at Harvard University extension school. Mr. Mitcham holds several computer security certificates from various institutions of higher education to include Stanford, Villanova, Carnegie-Mellon Universities, and the University of Central Florida. He is certified as a Chief Information Security Officer by the EC-Council and a Certified Computer Security Incident Handler from the Software Engineering Institute at Carnegie Mellon University. Zachery received his Information Systems Security Management credentials as an Information Systems Security Officer from the Department of Defense Intelligence Information Systems Accreditations Course in Kaiserslautern, Germany.
CISO MAG does not endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. Views expressed in this article are personal.