What is cryptojacking?
Cryptojacking is when an attacker hijacks your processing power to mine cryptocurrency for their own benefit. This can occur either on a computer you own and control on-premises or on virtual machines in the cloud.
Cryptojacking uses malicious code embedded in websites or malware installed on your device to exploit your resources without your knowledge. This slows down devices, blocks legitimate users from accessing your resources, and could also leave you with sky-high cloud costs. There are many other potential negative repercussions for businesses and individuals, from loss of data privacy to the inability to keep using affected systems.
To understand what cryptojacking is and how to prevent it, let’s take a look at a few basic facts about cryptocurrency.
The Cloud Threat Landscape
A comprehensive threat intelligence database of cloud security incidents, actors, tools and techniques
Explore
Cryptocurrency and crypto mining
Cryptocurrency is a type of digital money; it gets its name from the fact that it is encrypted for security. The main characteristic distinguishing cryptocurrencies from standard, or fiat, currency is decentralization. This means cryptocurrencies are not controlled by a single central entity (like a bank or a government). Instead, a secure public record called the blockchain verifies and tracks all transactions to ensure transparency and trust.
To securely create new coins, most cryptocurrencies must be mined, meaning a user solves a very complex encryption puzzle. The miner is rewarded for this work with very small payments made using the cryptocurrency being mined.
Since the rewards for crypto mining are very small, users must mine a lot of cryptocurrency in order to generate reasonable profits. This does not provide a good model for legitimate mainstream businesses wishing to profit from crypto mining. Law-abiding organizations are limited by the number of CPUs they have available. They must either purchase physical infrastructure or pay for cloud resources, costs that they might not recoup from crypto mining’s small proceeds.
Malicious actors have found a better way to profit: illegally hijacking victims’ devices to mine cryptocurrency—hence the term cryptojacking—while they sit back and reap the rewards.
Python-based fileless malware targets cloud workloads to deliver cryptominer
PyLoose is a newly discovered Python-based fileless malware targeting cloud workloads. Get a breakdown of how the attack unfolds and the steps to mitigate it.
Read more
Cryptojacking malware
Unlike other types of malware, cryptojacking malware won’t necessarily shut down your computer or destroy your data. Threat actors deploying cryptojacking malware generally want everything functioning in tip-top shape.
That said, standard cryptojacking malware will almost certainly compromise your device’s performance. Mining crypto ties up the CPU so that it’s too busy to handle legitimate requests. In the cloud, this could also lead to the creation of additional instances to handle what is perceived as extra load, potentially driving cloud costs into the stratosphere.
Advanced cryptojacking techniques, such as proof-of-storage cryptojacking malware, won’t have the physical side effects and impact on computing power but could seriously drive up cloud bills, scaling up storage to major proportions without your knowledge or consent.
As with many other types of malware, the most common vector for cryptojackers is social engineering—tricking a user into clicking a link that will, in turn, download and install the malicious cryptojacking application.
The dangers of proof-of-storage cryptojacking
We explore “proof-of-storage" cryptocurrencies like Chia, the potential for proof-of-storage cryptojacking attacks, and steps defenders can take to detect them.
Read more
Why is cryptojacking a major cloud cybersecurity threat?
At first glance, cryptojacking may seem like a less serious threat than much of what’s out there today. Yet the repercussions for the organization can be serious:
Spiraling costs: Hidden mining increases resource costs and your overall cloud services spend.
Performance problems: Stolen processing power slows devices, harming individual and organizational productivity. Cryptojacking decreases the efficiency and speed of genuine computing workloads, affecting legitimate users like employees, customers, and end users.
Privacy and security risks: Since cryptojacking malware has already gained access to your environment, it can simplify lateral movement to help attackers achieve other goals, like stealing sensitive data.
Other attacks: Attackers may take advantage of the access they have already gained to your environment to introduce other types of malware, causing additional harm, such as exfiltration of confidential end-user or employee data.
Plus, cryptojacking profits are often funneled back into other cybercrime activities, broadening the scale of the harm malicious actors are able to achieve.
Three types of cryptojacking
These are the most common ways attackers can steal your resources to make money through cryptojacking:
| Method of Attack | How it works | How its different | Impact |
|---|---|---|---|
| 1. Browser-based cryptojacking | Runs directly in the browser, no software install required | Malicious code loads right in the browser on a website, using your browser’s resources to solve complex math problems for cryptocurrency mining | - Undetectable by users - Slower browsing - Higher CPU usage - Unreliable performance |
| 2. Host-based cryptojacking | Malware infects the device, using your processing power (CPU/GPU) to mine cryptocurrency | Persistent files left on system may make detection easier | - Overall slowdown - Laggy, unreliable performance - Extreme heat and power use (for on-premises devices only) |
| 3. Memory-based cryptojacking | Uses complex techniques like code injection and memory manipulation to access and manipulate RAM (memory) | Operates in real time almost entirely within RAM, leaving no trace | - Greater resource consumption, as with the other two types |
Some cryptojacking malware may also use a hybrid approach that takes advantage of browser and host.
Anatomy of a cryptojacking attack
Most cryptojacking attacks follow a fairly standard methodology:
An attacker creates crypto-mining software and hides it in a website, within application code, or behind an innocuous-seeming link.
A victim connects, unknowingly downloading the software.
The software silently uses the victim's CPU or other resources to mine cryptocurrency by solving cryptographic “puzzles” and reaping rewards in cryptocurrency. Rewards accumulate in the attacker’s crypto wallet, and the cryptojacking persists until it’s detected—which could be a very long time.
Advanced cryptojacking malware may also use “worm” abilities to spread laterally throughout the environment, infecting connected resources. This maximizes gains for the attacker while multiplying the potential damage within your organization.
Your 5 best defenses against cryptojacking
1.Deploy modern cybersecurity protection
Today’s protection must include endpoint detection and response (EDR) for all physical devices, along with cloud detection and response (CDR), which monitors, detects, and provides response capabilities for all cloud-based resources. As part of your overall approach to security, EDR should restrict unauthorized scripts, using ad blockers if possible, and block access to sites based on reputation.
In addition, CDR streamlines security in cloud environments, giving you deep visibility across VMs, containers, serverless functions, and your entire infrastructure. That means you can pinpoint threats quickly and set up automated responses that save work for your team, like quarantining workloads or network isolation, ensuring nothing falls through the cracks.
2. Keep software and systems regularly updated
Patching should be the cornerstone of your organization’s proactive defense against cryptojacking, ideally incorporating automation to cut the IT team’s workload. Patch management identifies and installs software updates to fix vulnerabilities and bugs, along with other improvements such as performance enhancements and new features. Cryptojacking often takes advantage of software vulnerabilities, including long-standing vulnerabilities, so choose a modern patching solution that helps you prioritize so your most sensitive assets are patched first.
3. Keep an eye on cloud costs
Regularly monitor your cloud spend to avoid unpleasant surprises caused by cryptojacking. In one case, Microsoft analysis identified $300,000 in excess compute fees. Unexpected surges in compute or storage fees can indicate unauthorized resource utilization. Cloud cost management tools and spending alerts can help you flag anomalies early on, ensuring that you can take corrective action and avoid potential losses.
4. Train employees on phishing and avoiding suspicious links/attachments
Educating employees on social engineering tactics like phishing can significantly reduce the risk of cryptojacking infection. However, it’s important not to rely solely on this line of defense given the increasing sophistication of malware attacks. Beyond ensuring that employees are equipped to identify suspicious communications and sites, be sure to minimize attack surfaces. The principle of least privilege (PoLP) grants only essential permissions to users, software, and devices, reducing the potential impact of breaches. And remember to regularly remove unused accounts to further tighten security.
5. Implement real-time monitoring and threat detection
One of the hallmarks of cryptojacking malware is that it can remain hidden for long periods of time, staying under the radar of many threat detection systems while it continues generating profits for attackers. That’s why real-time threat detection is crucial. An effective CDR solution will incorporate behavioral analytics, identifying anomalies in your organization’s patterns of cloud server use—for example, in system logs, network traffic, and commands—with the goal of stopping crypto mining before it impacts your business.
Defending against cryptojacking with CNAPP
Wiz is a cloud security platform that proactively identifies and remediates vulnerabilities and misconfigurations that cryptojacking malware could exploit to gain a foothold. On top of this the CDR capabilities can identify and remediate even the most advanced malware.
As a cloud native application protection platform (CNAPP), Wiz empowers your organization to stay ahead of attackers and secure your cloud environments in several ways:
Unmasking hidden cloud risks based on your critical and most exposed assets
Prioritizing real threats, not CVEs, using Wiz’s “toxic combinations” score that’s based on real impact to your business
Putting an end to alert fatigue with clear, with high efficacy detections and remediation guidance
Wiz gives you centralized control for all security, and it’s scalable and agentless—meaning there’s never anything to install. Plus, you’ll get seamless integrations and AI insights. See for yourself. Get a demo and experience the simplicity and security Wiz brings to your entire cloud environment.
