Data from the “IBM X-Force Threat Intelligence Index” for 2018 illustrated that threat actors have been increasingly using malicious cryptomining, aka cryptojacking attacks, to easily monetize their access to systems with minimal risk. The 2019 report showed that threat actors continue to use these attacks to compromise systems and generate a revenue stream.
There are two types of cryptomining attacks that have been making the rounds since 2018:
- Malicious mining via compromised websites, also known as cryptojacking. This activity takes place in-browser.
- Malware-based cryptomining attacks on a user’s device. This activity relies on the device’s central processing unit (CPU) power.
In 2018, X-Force saw a majority of browser-based mining versus the malware-based variety. In fact, our data shows a nearly 2-1 ratio, respectively. This attack tactic is becoming a rising issue; cryptojacking presents a unique challenge for organizations to detect and mitigate because malicious scripts are almost always hosted outside the organization’s zone of control.
Cryptojacking definitely trended in 2018, but are tides about to turn? X-Force data from late 2018 and early 2019 showed that browser-based cryptojacking attacks are on the decline while also revealing a notable increase in malware-based attacks.
Cryptomining Malware: A Primer
The value and popularity of cryptocurrency have been growing across the globe, and criminals are always looking for ways to generate passive income. One of the ways they tie the two together is by using coin-mining malware. Research from X-Force has addressed cryptocurrency miners before. To review, cryptominers are placed on an infected machine or device and use its native processing power to mine for cryptocurrency.
Historically, threat actors have targeted individual user boxes to drop cryptocurrency miners on, but recent research from X-Force Incident Response and Intelligence Services (IRIS) suggested that since at least 2017, threat actors have also tried to infect targeted internet of things (IoT) devices despite their low processing power.
What Could Be Driving a Shift to Cryptojacking?
Why would threat actors use malicious cryptomining instead of focusing on other attacks such as ransomware, for example? Threat actors can see some success in getting their malware on user devices, but for those motivated by monetary gain, converting that access into spendable currency has always been a challenge.
Over time, cybercriminals have tried different methods, such as selling stolen data, locking a device and demanding ransom payment from its owner, and selling a remote shell to the compromised device to other threat actors who can then deploy their own attack tactics on that device.
All of these tactics primarily require other people to become involved in their success — an option most criminals prefer to forego if only to avoid sharing the spoils. But they can’t sell access or data without a buyer, nor can they profit from ransomware without someone on the other end willing to pay. To minimize interaction with other parties, including victims who may or may not pay, many criminals evidently prefer cryptojacking. These attacks are suited for cybercriminals at any skill level, do not require much in terms of interaction with third parties and can be monetized relatively easily when compared with malware operations such as ransomware and banking Trojans.
To get into user devices, threat actors often deploy cryptomining malware via command injection attacks against enterprise-level assets, such as vulnerable applications in content management systems (CMSs). In instances observed by X-Force IRIS, attackers have attempted to plant malicious images on victims’ machines using wget and curl shell commands when victims simply visit a malicious page via a link in an email or through a compromised site.
2018: The Rise of Cryptomining in the Browser
Browser-based cryptojacking involves a threat actor infecting a web server or website and then injecting a cryptomining script into an otherwise legitimate website. Alternatively, the script can be inserted into an online advertisement, whether malicious or wholly illegitimate, and used with a legitimate ad service so that the script runs every time the browser is open.
X-Force research saw an explosion of cryptojacking activity in 2018, with cryptojacking attacks far exceeding all other forms of coin theft attacks.
Some of this rise in browser-based cryptojacking comes from unintended sources, such as vendors who sell cryptojacking scripts as an alternative to running advertisements on websites. The initial purpose is legitimate, but they can also be used by attackers who run them on compromised websites. One of the largest providers of mining scripts of that type was Coinhive, an organization that pioneered the sale of these scripts. As a result of frequent use of Coinhive scripts in cryptojacking attacks, users and security professionals would often see the name “Coinhive” or “Coinhive.Miner” appear as a malicious issue. In March 2019, Coinhive voluntarily ceased operations.
Figure 1: Cryptojacking attacks exceeded malware cryptomining attacks by a nearly 2-1 ratio in 2018 (source: IBM X-Force)
Cryptojacking Was Big in 2018, So Why Shift to Cryptomining Malware in 2019?
As our data shows, browser-based cryptojacking was big in 2018. But as we moved into 2019, our data started showing a decline in that type of attack and a return to malware-based cryptojacking. A number of factors could be contributing to this shift.
One possibility is that the recent drop in cryptocurrency prices has made mining in the browser less profitable. Since the browser is merely an application on a device, it cannot generate the same computing power as infecting the actual device. As a result, this type of cryptojacking takes much longer to generate each coin, which may be incentivizing threat actors to refocus on malware infections to speed things up.
Additionally, sharply reduced cryptocurrency value could encourage actors to move to an entirely different revenue stream, causing cryptomining malware to have a higher proportion of activity even though nominal levels may have dropped.
Threat actors could also be temporarily shifting away from browser-based cryptojacking if they relied on Coinhive to provide them with scripts. With Coinhive gone, threat actors would have to go to other script providers. While there are many other providers of the same sort of scripts, the removal of Coinhive could affect the overall ability of the technically unskilled to create web-based cryptojacking attacks.
Don’t rejoice just yet — browser-based cryptojacking may see a resurgence in the near future due to the recent and sharp drop in the Monero hash rate. A reduced hash rate makes mining each coin less computationally intensive, making cryptojacking a more profitable option despite its lower harvesting power.
Which Should I Worry About More: Browser-Based Cryptojacking or Cryptomining Malware?
The short answer is both. X-Force data indicates that while browser-based cryptojacking was increasingly popular through most of 2018, cryptomining malware made a resurgence at the end of 2018 and into the first quarter of 2019.
Figure 2: IBM X-Force data showing the rise and fall of cryptojacking popularity (source: IBM X-Force)
Browser-based cryptojacking was very popular with threat actors earlier in 2018, likely due to the following factors:
- Without having to use malware and maintain a botnet, browser-based attacks can be easier for cybercriminals to set up compared to other forms of cryptomining attacks.
- Threat actors needed only to infect a single web server to deploy a cryptojacking script to all visitors of that site and any other sites hosted thereon.
- Cryptojacking is tougher for organizations to mitigate than cryptomining malware, since the infection occurs outside the organization on an unaffiliated server and takes advantage of users browsing to a compromised resource. In most cases, when the company’s security team sees alerts for mining activity, there isn’t much it can do to clean up within the company’s own devices. While one could notify the web server’s owner of the compromise, they may not know what to do about it or fail to address the issue.
- With browser-based cryptojacking, a threat actor can forego wide-cast infection campaigns and the need to infect myriad devices. Instead, they aim to compromise a few web servers and expect to reach untold numbers of site visitors.
Figure 3: Browser-based cryptojacking resides outside an organization’s zone of control (source: IBM X-Force)
Some Tips for Defenders
Malicious cryptomining and browser-based cryptojacking attacks are plentiful, but they are not impossible to defend against. Here are some tips for defenders from our X-Force IRIS threat intelligence specialists:
- Engage in a thorough risk assessment to determine the acceptable risk appetite for malicious cryptomining activity for the organization.
- Restrict outbound calls to cryptomining pools to help detect and prevent cryptomining within the organization’s environments.
- Where feasible, disable JavaScript in browsers to directly prevent cryptojacking scripts from executing.
- Update host-based detection signatures to include the latest cryptomining malware and, if possible, alert on significantly anomalous processor activity that may be indicative of ongoing cryptomining malware infections.
- Continue updating intrusion detection and prevention system (IDS/IPS) signatures to help block the latest cryptojacking scripts.
- Work closely with network security operations to block traffic to and from known cryptojacking addresses that can be obtained from a threat intelligence provider or maintained internally.
- Educate stakeholders on the difference between browser- and device-based cryptojacking to facilitate better informed conversations on the organization’s cybersecurity posture.
Join X-Force Exchange to stay up to date on cryptojacking campaigns
Senior Cyber Threat Intelligence Analyst - IBM