Authored by Tirath Ramdas (tirath@marklar.co), Principle Consultant at Marklar Marklar Consulting

Cryptojacking is a portmanteau of cryptocurrency and hijacking. When the exchange price of Bitcoin spiked in mid-2017 (lifting up the exchange price of many other cryptocurrencies such as Monero along with it), mining of cryptocurrencies like Bitcoin became correspondingly more attractive. This discussion will be limited in scope to “proof-of-work” based cryptocurrencies, whereby a cryptocurrency may be “found” by computing a hash algorithm. “Proof-of-stake” based systems are generally not targeted by cryptojacking.

The computation required to mine Bitcoin requires a substantial amount of energy, and by design the amount of work required will increase over time. To be profitable, Bitcoin mining generally requires the use of special-purpose hardware located in jurisdictions with low energy costs. This is less true today than it was several years ago when the price of Bitcoin was much lower, but even so, most people generally don’t have access to vast computing resources. The barrier-to-entry to mine Bitcoin on a large scale is actually quite high, which is why the Bitcoin mining industry has consolidated around dedicated mining companies, often operating in jurisdictions like China, where inexpensive energy is available. Suffice to say, for most people, mining Bitcoin is hard.

Alternatively, you can steal them. But if outright stealing Bitcoin offends one’s sense of morality, another approach is to steal the mining power of other people’s computers.

Cryptojacking is the act of mining cryptocurrency on someone’s computer without their explicit permission. If an employee uses company computers to mine cryptocurrency (such as the recent case of an Australian Beaureau of Meteorology employee who used the BOM’s supercomputer facilities to mine Bitcoin - http://www.abc.net.au/news/2018-03-08/bureau-of-meteorology-staff-implicated-in-cryptocurrency-ring/9524208), that is technically an act of crypto-jacking. But more sophisticated (and less risky) approaches are also available.

In January 2018, researchers at Trend Micro discovered a campaign to leverage Google’s DoubleClick ad network to deploy the Coinhive mining script (which mines the Monero cryptocurrency) to end-user browsers via advertising on high-traffic websites (https://blog.trendmicro.com/trendlabs-security-intelligence/malvertising-campaign-abuses-googles-doubleclick-to-deliver-cryptocurrency-miners/). This clever form of malvertising was not subtle because by it’s very nature, it’s not possible to hide the existence of mining - in order to “discover” a bitcoin a miner must communicate with the Bitcoin network - however, given the scale of DoubleClick many computers were affected. Unlike ransomware, crypto-jacking through malvertising is generally non-destructive to a user’s computer. This audacious attempt was swiftly shut down.

Between the high-focus approach of a rogue employee misusing company assets and the high-visibility scatter-gun approach of malvertising, there exists a middle ground where specific networks may be targeted, such as Russia’s Transneft oil company (https://www.reuters.com/article/us-russia-transneft-cryptocurrency/transneft-says-its-computers-were-used-for-mining-cryptocurrency-idUSKBN1E90X2). It is not clear how the CoinHive payload was delivered into the network in this instance. Phishing emails and drive-by-downloads are viable delivery mechanisms for cryptojacking.

There are several factors that, when combined, make the case that cryptojacking will be around for a long time:

1. The price of cryptocurrencies remains resilient, providing significant motivation.
2. Shadow IT, IoT, BYOD, and other megatrends that make it harder and harder for IT to maintain visibility over their increasingly sprawling network of compute resources provide more and more ground for crypto-jacking to take hold. Even containerisation has been shown to only make the problem worse as it was recently discovered that Docker Hub has been hosting images compromised with crypto-jacking frameworks (https://kromtech.com/blog/security-center/cryptojacking-invades-cloud-how-modern-containerization-trend-is-exploited-by-attackers).
3. Law enforcement is preoccupied with higher priority cybersecurity issues. Afterall, unlike ransomware, crypto-jacking is non-destructive to data. If poorly executed, cryptojacking may have an impact on system availability, but...
4. … the availability of off-the-shelf quality malware such as CoinHive means that crypto-jacking payloads will become increasingly stealthy and non-destructive to host system availability. A parasite never wants to kill its host.