Did you know that malicious hackers may be using your website to illegally mine digital currency, even though your company doesn’t handle Bitcoin, Monero, Ethereum, and other cryptocurrencies? Hackers recently infected Tesla's AWS cloud storage with cryptocurrency-mining malware.
Even the internal server used for developing prototypes and new products at SEWORKS was targeted. In our case (and since we are security experts), we noticed our server was running slowly. After thoroughly analyzing the server, we uncovered a XMR mining code (XMR is Monero) and shut down the attack before any damage occurred.
Why are these attacks happening? The cryptocurrency market is red hot, with seworks it could hit $1 trillion this year. However, mining cryptocurrency requires enormous computing power. Basically, hackers find it cheaper to mine cryptocurrency by infiltrating and accessing someone else’s CPU or GPU power (on site and in the cloud), rather than pay for it themselves.
Remember, not only can a company’s website be compromised, but the computers, phones and devices of visitors to the website can be at risk as well. And due to malicious behavior, businesses may discover that Google can block access to a compromised website, affecting customers, potential customers and partners, rendering financial damage and shredding a company’s reputation.
With every indication that the crypto-jacking trend will continue to escalate, here are some important issues companies and their IT departments should consider.
Which websites are in hackers’ crosshairs?
Typically, hackers look for sites that can generate additional computing power to aid their mining efforts. In the case of Tesla, it meant access to another company’s cloud storage. Another target is high traffic websites where unsuspecting visitors’ accounts are also hijacked. By tapping into the computing power of visitors’ computers, phones and devices, hackers can leverage still more crypto-mining resources.
As for mining cryptocurrency on mobile devices, we’ve seen increasingly sophisticated techniques using malicious botnets and phishing with mobile apps. Although there may be increased battery drain and a slightly less responsive user experience, a user may not grasp that it is because of crypto-jacking.
Overt symptoms indicating web and mobile apps are being used for crypto-mining aren’t easily detected. Remember, crypto-jacking doesn't always occur in a malware form; it could be registered as a regular program code. Many zombie PCs (botnets) formerly used for DDoS attacks now are being employed for crypto-mining. Additionally, miners often prefer server attacks since noticeable signs are less likely.
What are the signs?
The dilemma is that crypto-jacking may not raise warning flags. Since hackers are tapping into computing power, server overload could be an indicator. Employees’ computers may run slower, but if not fully throttled, this may not cause concern.
Maybe a computer’s fan is running hot or a browser slows down when crypto-mining is happening? The battery life of devices may be shorter. As we’ve mentioned, any signals may be so subtle as to be easily overlooked.
To avoid detection, hackers may insert malicious code during slow times, such as after hours or on the weekend. A company could analyze how much computing power is being used and monitor for spikes or steady unexplained rises, but these indicators are not always tracked.
Protecting your website from crypto-jacking
Although you may believe there are sufficient security measures on your network, your website can still be vulnerable to crypto-jacking. To determine if your website is susceptible or is actually under attack, endpoint security and monitoring network traffic are useful tactics.
However, a highly recommended approach is to conduct a simulated attack via a pen test or penetration test to uncover vulnerabilities that an attacker could exploit. Here are several penetration testing methodologies to consider:
- Manual pen testing. White hat security consultants test your website using tools and techniques of a malicious hacker. This approach requires specific expertise, and can be expensive in both time and resources. Consultants are often well-versed in web languages such as PHP, Python, Node.js, Ruby, and others. They are also able to estimate potential attacks, based on error messages and database query, and identify any developer mistakes due to lack of secure coding. A consultant may have different certifications, such as CISSP, but experience is the critical factor. Manual reports typically take longer to compile. While consultants sometimes utilize automated penetration testing as well, most perform pen testing manually. Keep in mind that outside consultants can access a company’s undisclosed data and gain admin access.
- Automated pen testing. The automated penetration test plays an important role in the security professional's toolkit. Tools such as Qualys, Veracode, and Aqunetix can quickly evaluate the security of systems, networks and applications against a variety of threats. With automated pen testing, human errors can be reduced, testing is less expensive, faster, and results and reports are obtained more quickly. However, the automated patterns may be limited, which may mean incurring additional customization charges and eventually hiring security consultants.
- Pen testing driven by artificial intelligence. Security trends and hacking techniques evolve rapidly. Automated attacks require defenders to implement more advanced, proactive security measures. AI pen testing isn’t dependent upon the skill set of an individual security consultant. With each hacking attempt, deep learning algorithms incorporate new vulnerability discoveries, thus continuously improving and expanding threat detection capability. In-depth security reports are typically available more quickly as well.
It’s critical that your business deploys security protection. In our case, we were able to find the mining code and patch it, but it's alarming that it passed AWS security standards.
To guard against crypto-mining, enterprise security and IT teams must closely monitor endpoint and server activities. Constant pen testing, updating system daemons regularly (each OS release update), employing a patch management system, and cloud server update patches are recommended. Remember, offensive security is the best defense against crypto-jacking!