sb-au logo
Story image

Cryptominers posing a new threat for enterprise IT infrastructures

04 May 2018

As well as viruses, trojans, worms and ransomware attacks, IT managers now have a new threat to worry about: cryptominers.

Following the massive spike in the price of Bitcoin in late 2017 and the associated flurry of public interest, attention has focused on the cryptomining used to create virtual currencies. Cryptomining is the process by which transactions are verified and added to a blockchain as well as the means through which new coins are created.

While many miners invest in powerful hardware designed for this task, others are taking a different strategy. Web-based methods allow website operators to use scripts to mine cryptocurrency within a browser, using the resources of a website visitor. In this way, it becomes possible to mine cryptocurrency without running a dedicated application on a computer owned or controlled by the miner.

The rise of the cryptominer

With interest in cryptocurrencies continuing to grow, there has been a noticeable increase in the volume of cryptomining transactions. During the past six months, Zscaler blocked more than 2.5 billion cryptomining attempts.

There are two key reasons for this dramatic rise. Firstly, following the Bitcoin price spike, legitimate sites are adopting cryptomining as an alternative source of revenue over traditional online advertising. These sites offer visitors a choice between seeing ads or being mined in order to view content.

Secondly, cybercriminals are also taking advantage of the trend by injecting JavaScript code into compromised legitimate sites to conduct cryptomining activities unbeknownst to site owners or visitors. In some cases, malicious advertisements are being leveraged for browser-based cryptomining activities. Finding a target

Traffic analysis shows that the category of domains used most for browser-based cryptomining activity include nudity and pornography websites followed by streaming media. The browsing time for users on video streaming sites tends to be higher than average, allowing miners to maximise their activity as visitors view movies or play games. Interestingly, websites of professional services and marketing organisations also ranked highly. This demonstrates the prevalence of mining activity within corporate networks.  

Enterprise IT infrastructures are being directly affected by the trend in a number of ways. The CPU cycles caused by unwanted and unidentified mining activity result in increased wear and tear on corporate hardware. It also hogs corporate network bandwidth and causes performance issues.

Top five

There are five primary cryptominer tools currently in use. They are:

  • CoinHive: This tool dominates the cryptominer market and represents the vast majority of cryptominers in the enterprise traffic scanned by Zscaler
  • Crypto-Loot: This web-based miner is gaining popularity among attackers and malicious website owners
  • JSE-Coin: This crypto-miner differs technically from other miners as involves the embedding of an external JavaScript file into a website
  • DeepMiner: This is a free, open-source JavaScript library for mining XMR (Monero) or ETN (Electroneum) cryptocurrency and the library can be embedded in a website
  • Minr: This tool currently has relatively low adoption rates compared with the others and requires a website developer to provide an API for access.

Future developments

Analysis of web traffic shows cryptomining is increasing exponentially in popularity. However the practice, whether undertaken with permission or not, raises many questions when it comes to ethics and compliance.

Organisations that unknowingly have cryptomining activities taking place on their networks may be at risk of compliance violations if it is discovered that there are unidentified activities taking place on company systems.

At the same time there are also ethical questions such as whether or not site owners who have granted permission for their site to be cryptomined are responsible for notifying and educating site visitors on how their systems will be affected by this activity. Regardless of the answer, both enterprises and consumers suffer the same effects of cryptomining, including added CPU cycles, increased power use, and hardware erosion.

There is also an increased risk of exposure to malware due to the use of JavaScript by many  cryptominer tools. Once injected into a site, JavaScript code can be easily manipulated by a cybercriminal for other uses, potentially exposing consumers and employees in enterprises to other harmful attacks.

To further complicate the situation, there is no clarity around regulation and disclosure requirements when it comes to cryptomining. While this will happen, it’s likely to take governments some time to come to terms with the trend and its implications.

While organisations need to be aware of the implications of cryptomining, individuals should also ensure they are prepared for any unwanted activity. It is important to constantly watch out for a sudden spike in memory use that causes the PC to become slow and only allow JavaScript to run when visiting trusted websites.

Cryptomining is going to continue to grow rapidly and so awareness and preparation is vital. Take the time to ensure your organisation is ready for this new threat.

Article by Zscaler vice president of Asia Pacific and Japan, Scott Robertson.

Story image
Investing in digital trust for the post-pandemic business landscape
Business leaders in 2021 need to make sustainable investments to give their organisations a much-needed resilience boost to tackle new disruptions, while still enabling growth.More
Story image
Countering the evolving threat of ransomware
Cyber-criminals will continue to change their methods to maximise the chance of success, writes Zscaler regional vice president and A/NZ country manager Steve Singer.More
Story image
Quantum extends Veeam partnership in a bid to protect against ransomware
“Quantum continues to expand its partnership with us and we are pleased to add ActiveScale object storage to a select group of S3 targets that can provide robust ransomware protection for our joint customers."More
Story image
Kaseya acquires RocketCyber to bring SOC solutions to more businesses
"With this acquisition, we've doubled down on our security investments to provide our customers with access to experts who can continuously monitoring their IT environments without the cost and complexity of disparate tools.”More
Story image
Cyber-risk to critical infrastructure reaches all-time high — report
New research from Nozomi Networks Labs found that attackers are doubling down on high-value targets and weaponising the software supply chain.More
Story image
CSO Group scores AU$16m deal with NSW Government
The deal focuses on the refresh and uplift of cybersecurity capabilities and technologies for the cloud, endpoint and email, leveraging the recently launched CSO Managed Security Service.More