Downsides and Dangers of Cryptominers
While “cryptojacking”— whereby a website visitors’ CPU is “borrowed” to mine for cryptocurrency — has been grabbing headlines with its rapid growth, I’ve read a few blasé comments from a few IT pros that suggest the downsides and real security risks associated with cryptomining aren’t well understood.
Cryptomining Malware: Some cryptominers are malware that use system exploits to install themselves, communicating with Command & Control servers via a backdoor. Even code that is initially written for cryptomining could at some point be changed and used to push ransomware if the threat actor that planted the code suddenly decides he isn’t making enough money.
Server-jacking: Businesses are being targeted by criminal cryptomining organizations that seek more powerful resources for CPU power through servers and server farms. Hackers recently gained access to Amazon Web Services (AWS) accounts and hijacked servers for cryptomining (Amazon’s customers got stuck with higher bills for compute time). Reports also continue to surface of hackers gaining access to unprotected server systems in hospitals and other businesses.
PC Throttling: There has been a lot of talk around CPU activity and the effect cryptomining has on it. The truth is that cryptomining consumes significant processing power — a typical cryptomining script uses 60% to 70% of a CPU. If multiple tabs are open in the browser window, and all of them are engaged in mining activity, CPU activity will quickly hit the 100% mark, causing other system activities to fail and shut down.
Infra & Asset Costs: Energy demands for mining cryptocurrencies are skyrocketing. In fact, one recent study suggests the electricity used to mine for Bitcoin in 2017 exceeded the annual energy consumption of 159 countries. At a minimum, cryptomining activity will show up somewhere in electricity bills, and it could be a lot. It may not seem dire, but increased processor activity obviously also heats devices and will add to wear and tear with constant use. Perhaps in some near future we’ll read about some smart phone exploding due to excessive mining activity.
Supporting Criminals: A broader consideration is that Monero is both the most common cryptocurrency being mined via websites and is also used by a wide range of dark web criminals, including drug and human traffickers, primarily because it is untraceable. Imagine a scenario where one of your employees surfs to a legitimate website that has been hacked by a criminal drug gang for cryptomining purposes. There are few legitimate companies out there that would want their business or their employees financing criminal enterprises simply because they’re unknowingly allowing their laptops or servers to be used for cryptomining.
Mad for Power
To understand the phenomenon and why this new “business model” and the associated risks are here to stay, we should return to the point above that cryptocurrency mining is energy intensive. Part of what is driving cryptojacking is the need not only for computing power to solve the necessary algorithms, but also for associated quick, easy, and cheap power sources — which is what URL-based mining also delivers by distributing the task over thousands of user PCs, corporate servers, and even IoT devices — anything with a processor.
Cryptojacking and the Future
Given the rising values of cryptocurrencies and my comments above on the role of distributed computing power and energy in cryptomining, we should all have the expectation that cryptomining activity will only increase into the future. We’re just seeing the tip of the potential iceberg so far, with some incipient security challenges around growing obfuscation of cryptomining code, and of course ongoing evolution of cryptomining malware.
At the moment we’re noting three main website types engage in cryptomining — torrent, adult content, and video streaming sites (although there are a handful of other types of sites —legitimate and otherwise, that also have cryptomining script activity), and most of them are not among the largest sites globally. It remains to be seen whether more legitimate web operations will embrace the approach, but you can count on illegitimate and malicious use of cryptomining to grow robustly.
Sigurdur “Siggi” Stefnisson is vice president of threat detection at Cyren, an Internet Security as a Service provider that protects users against cyberattacks and data breaches through cloud-based web security, email security, DNS security and sandboxing solutions.