Trending keywords: security, cloud, container,
Cryptomining, a process at the core of many blockchain-based systems and applications, can require huge amounts of computing power – so many, in fact, that attackers sometimes seek to offload the costs of cryptomining to unsuspecting organizations by performing mining operations on their infrastructure without permission.
When this happens, a cryptojacking attack occurs. Cryptojacking can deprive organizations of the computing resources they need to conduct legitimate operations. It can also leave them with huge and unexpected bills, especially if they use cloud-based infrastructure that is priced on a pay-as-you-go model.
That’s why methods for identifying and preventing cryptojacking should be a part of modern cybersecurity strategies. This article explains how cryptojacking works, how it relates to cryptomining, and which steps organizations can take to protect themselves against cryptojacking attacks.
What Is Cryptomining?
To understand cryptojacking, you must first understand cryptomining. Cryptomining is the process used to create new digital coins within a cryptocurrency system like Bitcoin.
How Cryptomining Works
The exact cryptomining process varies from one cryptocurrency system to another, but in most cases, cryptomining involves performing complex mathematical operations to solve a cryptographic puzzle. Devices crunch numbers until they solve the puzzle using a brute-force approach.
For some cryptocurrencies, the cryptomining process is competitive, meaning that multiple computers or other devices compete to solve a puzzle first. The winner is rewarded with cryptocurrency.
Types of Cryptomining
Cryptomining can be broken into categories depending on how the mining takes place:
- CPU mining: CPU mining is the most basic form of cryptomining. It involves performing mining operations locally on a device with conventional CPU – such as your PC or laptop.
- GPU mining: In GPU mining, mining operations are accelerated using graphical processing units.
- ASIC mining: ASIC mining uses specialized hardware designed to optimize mining operations.
- Cloud mining: Cloud mining allows cryptomining operations to be outsourced to cloud infrastructure.
Resource Requirements for Cryptomining
For most mainstream cryptocurrencies, solving the cryptographic puzzles at the heart of cryptomining requires substantial computing resources. In fact, for cryptocurrencies like Bitcoin, cryptomining operations have become so intense that cryptomining on conventional computers is no longer feasible. Instead, most Bitcoin mining today takes place on specialized “mining rigs” that use GPU or ASIC acceleration to speed mining operations.
Cryptomining and Energy Consumption
High consumption of compute resources for cryptomining leads to high energy consumption rates, too. Bitcoin mining, for example, currently consumes about 0.55 percent of the world’s entire electrical energy output, which is about the same as a small country like Sweden.
What Is Cryptojacking?
As long as you perform cryptomining on computing infrastructure that you have permission to use, you are not doing anything wrong. However, when cryptomining takes place without the permission of the infrastructure’s owners, it becomes cryptojacking.
Cryptojacking is the hijacking of someone else’s compute infrastructure to mine cryptocurrency. In other words, if you start mining digital coins on someone else’s computer, server, or cloud, you’re cryptojacking.
How Cryptojacking Works
To perform cryptojacking, attackers must first find a way to install and run cryptomining software on a target’s infrastructure. They could do this by exploiting software vulnerabilities that give them unauthorized access to a device’s host operating system, for instance, or by hiding cryptomining code inside other, legitimate applications that users install.
From there, the cryptojacking software runs in the background, often with the help of techniques designed to mask its presence. The attackers who planted the software configure it so that the coins it mines are placed into their digital wallets.
Types of Cryptojacking
Cryptojacking can be categorized based on the way cryptojacking attacks happen:
- Host-based cryptojacking: Attackers who compromise a host system to install cryptojacking software perform host-based cryptojacking.
- Browser-based cryptojacking: If cryptojacking originates using a browser vulnerability or runs as a subprocess of a compromised Web browser, it’s browser-based cryptojacking.
- Cloud cryptojacking: When cryptojacking takes place on cloud infrastructure, such as VM instances running in a public cloud, it’s a cloud cryptojacking attack.
Cost of Cryptojacking
Cryptojacking costs organizations money in three main ways:
- Infrastructure costs: In a highly scalable infrastructure, such as a public cloud IaaS environment, compute resources may automatically scale up in order to accommodate cryptojacking activities. They do this because they are configured to scale up when their load increases, and autoscaling policies have no way of knowing whether the cause of the load increase is legitimate or not. Because cloud customers typically pay for compute resources based on how many they consume, a scaling up of resources leads to higher bills.
- Energy costs: In an on-premises environment, businesses have to pay for the energy required to power and cool their servers. Cryptojacking leads to a spike in energy consumption due to increased CPU utilization, which translates to higher energy bills for the company.
- Loss of revenue: By depriving legitimate workloads of the resources they need to run efficiently, cryptojacking can lead to revenue loss. For example, if cryptojacking software runs on a server that hosts an eCommerce website, the website may become less responsive to customer requests because the server resources it needs to run well are being directed toward cryptojacking. As a result, the business that owns the site loses revenue.
What’s the difference between Cryptomining and Cryptojacking?
The difference between cryptomining and cryptojacking is simple: cryptomining is a legitimate activity, and cryptojacking is not.
To put this another way, cryptomining is an activity undertaken by an individual or organization that voluntarily chooses to use computing infrastructure to mine cryptocurrency. There’s nothing legally or ethically wrong with doing this.
In contrast, cryptojacking is the unauthorized use of infrastructure to mine cryptocurrency. Doing so is wrong from an ethical standpoint. It’s also a form of fraud that can be criminally prosecuted in most jurisdictions.
Best Practices for preventing Cryptojacking
The best way to protect your organization from cryptojacking is to ensure that cryptojackers can’t invade your infrastructure in the first place. Best practices for hardening servers, computers, and other devices against cryptojacking attacks include:
- Enforce least privilege: A policy of least privilege minimizes the access rights that different users inside your organization have to IT resources. In turn, it reduces the risk that a compromised account can be used to launch a cryptojacking attack.
- Use zero trust: Zero trust, a security strategy that involves isolating devices on a network until they are explicitly validated to be trustworthy, helps prevent vulnerable devices from introducing cryptojacking software to your IT environment.
- Scan software: Software scanning surfaces vulnerabilities that attackers might exploit to install cryptojacking software.
- Know your software supply chain: To ensure that the upstream software components (such as open source libraries) that you depend on do not contain cryptojacking code, it’s important to maintain visibility into your software supply chain.
How to detect Cryptojacking
If you’re worried that cryptojackers are already active inside your IT estate, there are several effective means for detecting cryptojacking activity.
Since cryptojacking triggers an increase in CPU utilization, performance monitoring can surface cryptojacking attacks. If you notice a sudden spike in CPU usage that can’t be explained by changes to a legitimate workload, cryptojacking could be the cause.
Scanning devices for suspicious software can reveal cryptojacking operations. Although many cryptojacking programs are designed to evade easy detection (by, for example, operating using process names that emulate those of legitimate applications), advanced scanning tools are effective at uncovering cryptojacking software.
Honeypot environments, meaning IT resources that are designed to look like real production environments but which actually exist for the purpose of luring in attackers, can help you identify the patterns and techniques that cryptojackers are using to infiltrate your network. If you detect crypojacking software within a honeypot environment, you can look for similar activities on your production resources to catch cryptojacking there.
On its own, cryptomining is a perfectly legitimate activity. But when cryptomining turns into cryptojacking, businesses can suffer significant harm. To manage this risk, IT security strategies should harden environments against cryptojacking attacks while also monitoring for cryptojacking to detect attacks that slip past defenses.