Thought leadership. Threat analysis. Cybersecurity news and alerts.
What Is Cryptomining Attack and How to Prevent Such Attack
The price of Bitcoin, the recognized leader among thousands of cryptocurrencies, has skyrocketed from $100 in 2013 to nearly $60,000 in March 2021.
The dizzying rise, not just by Bitcoin but by other cryptocurrencies as well, gives rise to the cyberattack known as “cryptomining attack.”
What Is Cryptomining Attack?
In cryptomining, also known as cryptojacking, an attacker uses the computing power of others, without the knowledge and permission from the owners of the computing power.
Bitcoin and other cryptocurrencies are virtual currencies. They only exist online and they’ve no physical notes or coins.
If done with the knowledge and permission of the computing power owner, cryptomining is legal. It’s important to note, however, that some countries ban cryptomining and cryptocurrency in general.
Many cryptocurrencies use cryptomining – the use of the processing power of computers to solve complex mathematical problems and verify cryptocurrency transactions. Crypto miners, meanwhile, are rewarded a certain amount of cryptocurrency for the use of computing power.
Cryptomining can be done on physical computers and via cloud computing. With physical computers, cryptomining attacks can easily be detected through a noticeable slowdown in device performance, reduction in productivity of the device, and unexpected increases in electricity costs.
With cloud-based cryptomining attacks, threat actors can illicitly use cloud computing resources for a long time without detection. Typically, cloud-based cryptomining attacks are only discovered when the victim finds an inflated cloud usage bill.
Prevalence of Cryptomining Attacks
Cryptomining attacks have been around for years. The noticeable uptick of cryptomining attacks happened in 2017 when the Bitcoin price reached $20,000.
Internet Exposed Kubernetes Pods
In February 2018, researchers at RedLock reported that Tesla fell victim to cryptomining attack. “The hackers had infiltrated Tesla’s Kubernetes console which was not password protected,” RedLock researchers said. “Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry. In addition to the data exposure, hackers were performing crypto mining from within one of Tesla’s Kubernetes pods.”
The cryptocurrency that was mined using Tesla’s computing resources was Monero. To date, the price of Monero is $261.57.
QNAP NAS Vulnerabilities
Researchers at 360 Netlab reported that on March 2, 2021, they detected attacks targeting QNAP NAS devices via the unauthorized remote command execution vulnerabilities, specifically CVE-2020-2506 and CVE-2020-2507.
CVE-2020-2506 is a security vulnerability in the QNAP NAS device that allows attackers to compromise the device’s software security, allowing the attackers to gain privileges, or reading sensitive information. CVE-2020-2507, meanwhile, is a command injection vulnerability in the QNAP NAS device that can allow remote attackers to run arbitrary commands.
Successful exploitation of CVE-2020-2506 and CVE-2020-2507, researchers at 360 Netlab said, allowed the attacker to gain root privilege on the devices and perform cryptomining attacks. Researchers at 360 Netlab named the malicious software (malware) that exploits CVE-2020-2506 and CVE-2020-2507 in QNAP NAS devices and conduct cryptomining activities on these devices as “UnityMiner.”
UnityMiner, 360 Netlab researchers said, allows the attackers to hide the illicit cryptomining process and the real CPU memory resource usage information. With UnityMiner, the researchers said, QNAP users who check the system usage via the WEB management interface cannot see the abnormal system behavior.
In January 2021, Imperva researchers reported a botnet in which one of its primary activities was performing cryptomining attacks.
Botnet, also known as zombie army, is a group of hijacked internet-connected computers each injected with malware and controlled from a remote location by an attacker to perform malicious activities such as cryptomining. According to Imperva researchers, the malware that they discovered exploited the security vulnerability designated as CVE-2021-3007.
The CVE-2021-3007 vulnerability has two opposing claims: one claim is that this is a Zend Framework vulnerability that can lead to remote code execution; the other claim, meanwhile, is that this is a "vulnerability in the PHP language itself."
According to Imperva researchers, successful exploitation of CVE-2021-3007 allows the attackers to run XMRig – a legitimate open-source software that utilizes system CPUs to mine the cryptocurrency Monero. Cybercriminals, however, abuse XMRig to earn cryptomining revenue by launching cryptomining attacks on victims’ computing resources.
In the case of a botnet, once a victim’s computer is enslaved as one of the zombie armies and injected with malware and controlled from a remote location by an attacker to perform malicious activities, there’s no limit to what the attacker can do. In addition to illicit cryptomining, your organization’s computers could be used for other malicious activities such as distributed denial-of-service (DDoS) attacks.
Best Practices to Prevent Cryptomining Attacks
Here are some of the best practices in order to prevent threat actors from using your organization’s computing power for illicit cryptomining:
Steve E. Driz, I.S.P., ITCP