The rise of digital currencies is driving a revolution in international commerce, financial inclusion and technology innovation. But, as with many new online platforms, there is also a darker flipside starting to emerge. Illegal crypto-currency mining known as crypto-jacking has been flagged by experts for years, but now malicious activity is really escalating and its impact on organisations could reach well beyond impaired server performance.

The bottom line is that firms that fail to patrol their networks and kick out crypto-mining malware could find themselves exposed to a great deal more risk than higher energy bills.

Down the digital mine

Crypto-currency investing is nothing short of a 21st century gold rush. Around the world, entrepreneurs, nation states and cybercrime gangs are looking to get rich quick by extracting more blockchain-based digital currencies like Bitcoin and Monero. The process of mining currency essentially involves large numbers of computers carrying out complex mathematical calculations (hashing algorithms) to confirm digital transactions, which are then recorded on the public blockchain-based ledger. The computers are rewarded in small amounts of crypto-currency for carrying out these computations. Therefore, the more hashing power you have, the more transactions you can confirm and the more digital currency you receive.

With the value of crypto-currencies soaring in recent months, it's not hard to see why cyber-criminals have jumped on the bandwagon. By hijacking PCs, servers, mobile devices, IoT endpoints and more — a process known as crypto-jacking — they can create botnets of crypto-currency miners, all without the knowledge of the users or IT administrators. In many ways it's the perfect crime: unlike ransomware it requires zero interaction with the victim, and if the malware is discovered, the hacker need only go out and infect a few more endpoints to maintain their botnet at the same level of performance.

Some researchers have spotted botnets comprised of millions of infected machines. If one assumes each generates around $0.25 per day, these networks of compromised computers could earn their herders over $100m annually. Using our insight into around 40% of global internet traffic, NTT Security has been following this trend closely. We recently collected 12,000 Monero mining malware samples dating back to March 2015, and discovered the vast majority (66%) were submitted from November and December 2017 — highlighting the uptick in recent activity.

Is my business at risk?

Although consumer devices and machines are certainly being targeted, this trend is particularly bad news for enterprises. One vendor estimated that related malware affected over two-fifths (42%) of global organizations in February 2018. Another claimed that crypto-jacking attacks on organisations had increased six-fold in 2017, with manufacturing (29%), financial services (29%) and arts & entertainment (21%) firms hit hardest.

Organizations are increasingly being targeted, as their servers can provide more compute power for digital mining malware, meaning fewer need to be compromised versus home PCs to generate the same ROI for the hackers. The drain on resources can result in higher electricity bills and poor performance — which could impact productivity and even lead in time to worn out equipment. Perhaps more importantly, there could be a link to more damaging cyber-attacks on your systems. One security vendor claimed that it detected nearly 4,000 Bitcoin miners in the first half of 2017, 20% of which triggered web and network-based attacks including cross-site scripting, SQL injection, ransomware and brute force password attacks.

Hitting back at the jackers

Our intelligence revealed that malicious email campaigns are the primary means to gain a foothold on targeted systems. But it is by no means the only way for attackers to hijack your resources. Like ransomware, there are multiple threat vectors that organisations need to guard against.

Legitimate coin-mining services like Coinhive have been abused and injected into mobile games and even websites. Because such software is not technically malware, it can sometimes be missed by traditional security filters. The threat has even been flagged by the National Cyber Security Centre in its latest report that warns that it could dominate in 2018-19. One security researchers spotted Coinhive running on 4,000 websites, including those of the Information Commissioner's Office, United States Courts, the General Medical Council, the UK's Student Loans Company, NHS Inform and many others. The black hats did this in a classic supply chain attack in which an upstream assistive technology provider was first hacked.

Another potentially growing part of the attack surface lies with mobile endpoints like BYOD devices. One vendor claimed to have seen a 4,000% increase in Android crypto-miner detections from Q4 2017 to the first three months of this year. Poorly secured IoT devices also represent a large and lucrative source of computing power for digital cash-hungry criminals. Many are protected only by factory default passwords, and are left without firmware updates, leaving them hopelessly exposed.

So what can organisations do to mitigate the growing threat posed by crypto-jacking? As with most cybersecurity threats there is no silver bullet solution. The answer lies in combining tried-and-tested best practice techniques, layering up regular risk assessments and system updates with intrusion prevention and detection, app whitelisting and continuous network monitoring. It's crucially important to include any mobile devices and IoT endpoints in this: hackers will always look for the lowest-hanging fruit, so a security strategy, which ignores the most vulnerable devices is doomed from day one.

Combine these tech centric approaches with a renewed focus on people and process, including educating employees in how to spot phishing attacks, and IT administrators in how to spot the warning signs of crypto-jacked systems. Crypto-jacking is here to stay, as long as it remains financially lucrative for the hackers. In fact, we could even see attacks grow more advanced over time to incorporate multiple payloads including banking Trojans and ransomware.

So, act now to incorporate this latest threat into your security strategy. Remember: you've got more to lose than a few extra pounds spent on energy bills.


Terrance DeJesus, Threat Research Analyst at NTT Security