What is Cryptojacking and How to Prevent This Cyberattack

Tesla is the latest company that joins the growing list of companies that have been hit by cryptojacking – a form of cyberattack in which a hacker uses the computing power of a target to mine cryptocurrency.

According to RedLock, the company that revealed the Tesla hack, the attacker was able to access Tesla’s cloud account and used it to mine Monero, a cryptocurrency similar to Bitcoin. Both Monero and Bitcoin need to be mined.

Cryptocurrency mining is a process by which transactions are verified. It’s also a process by which a new crypto coin is released. Miners, those who allow their computers to be used for cryptocurrency mining, are compensated for the computer and electricity usage.

A spokesperson of Tesla said that the company addressed the security flaw “within hours” and added that no customer data had been stolen.

“Our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way,” Tesla spokesperson said.

In September 2017, RedLock discovered that the cloud account of Aviva, a British multinational insurance company, was similarly hacked to mine cryptocurrency. While Tesla’s cloud account was hacked to mine Monero, Aviva’s cloud account was hacked to mine Bitcoin.

Cryptojacking Methods

Here are some of the methods used by attackers to steal the computing resources of organizations for cryptocurrency mining:

1. Absence of Password Protection

RedLock reported that both Tesla and Aviva were hacked as they were both using Kubernetes administration consoles that were accessible over the internet without any password protection. Kubernetes is an open-sourced tool used to control the computing resources needed to run the apps of an organization.

RedLock said that Aviva and Tesla’s Kubernetes administration consoles were leaking critical infrastructure passwords such as Amazon Web Services (AWS) account access keys.

RedLock observed that the CPU usage in the Tesla hack wasn’t very high compared to the CPU usage in the Aviva hack. RedLock reasoned that the attackers “had most likely configured the mining software to keep the usage low to evade detection” in the Tesla hack. Another reason for the low CPU usage is that mining Monero uses less CPU power compared to mining Bitcoin.

In the early days of Bitcoin, it was possible to mine it using an ordinary PC. Today, mining Bitcoin requires dedicated, high-performance machines. Monero mining, meanwhile, can be done in ordinary computers, including smartphones.

2. EternalBlue Exploit

The EternalBlue exploit shook the world in May 2017 as it was the cause of the spread of WannaCry ransomware attack – a cyberattack that affected hundreds of thousands of computers worldwide. Little is known, however, that EternalBlue is also the same hacking tool used by attackers to spread the cryptocurrency mining malware called “Adylkuzz”.

EternalBlue is one of the hacking tools leaked on April 14, 2017 by the hacking group known as “Shadow Brokers”. EternalBlue is believed to be one of the hacking tools used by the U.S. National Security Agency (NSA). Microsoft, for its part, released a patch or security update that fixes the vulnerability exploited by EternalBlue one month before Shadow Brokers released the hacking tools to the public.

EternalBlue exploits the vulnerability of unpatched and unsupported Windows operating systems, allowing attackers to conduct remote code execution, for instance, spread malicious software (malware) of their choice. By exploiting EternalBlue, therefore, attackers have the option to use WannaCry malware, Adylkuzz or some other type of malware. 

According to Proofpoint, Adylkuzz predates that of WannaCry by days, appearing as early as April 24, 2017. While WannaCry was used as a ransomware, Adylkuzz was used to mine Monero.

“This attack [Adylkuzz] is ongoing and, while less flashy than WannaCry, is nonetheless quite large and potentially quite disruptive,” Proofpoint said.

Symptoms of Adylkuzz cyberattack include loss of access to shared Windows resources and degradation of server and PC performance.

3. Browser-Based Cryptojacking

In browser-based cryptojacking, a cryptocurrency mining code is embedded into a website and site visitors run the mining code via their browser.

Browser-based cryptojacking has been around since 2011. It started with BitcoinPlus.com – not to be confused with another cryptocurrency Bitcoin Plus. BitcoinPlus.com then offered a service that website owners could sign up, embed the mining code into their websites to make site visitors mine for them.

This service didn’t take off as Bitcoin mining wasn’t lucrative at the time. By mid-2011, the price of Bitcoin peaked at nearly $30 and fell to $2 by the end of 2011. As of February 22, 2018, the value of one Bitcoin was worth $10,900, while one Monero was worth $316.

Browser-based cryptojacking made a comeback in September 2017 with the launching of CoinHive, a service similar to BitcoinPlus.com. The difference between the two is that CoinHive mines Monero, while BitcoinPlus mines Bitcoin.

Today, it’s not possible to mine Bitcoin using the browser-based cryptojacking method as Bitcoin mining nowadays requires high-powered computers – those computers typically used by companies.

CoinHive is promoted as an alternative to browser ad revenue. Hackers, however, embed CoinHive’s mining code on websites that they don’t own and without the knowledge and consent of site owners.

Slow computer performance and general unresponsiveness when browsing the web are signs that your organization’s computers are silently mining Monero and enriching the hackers.

Prevention

Here are some of the ways to prevent cryptojacking:

Monitor Network Traffic

To protect your cloud account from cryptojacking, monitor the network traffic. “By monitoring network traffic and correlating it with configuration data, Tesla could have detected suspicious network traffic being generated by the compromised Kubernetes pod,” RedLock said.

Keep Your Organization’s Server Operating System (OS) Up-to-Date

Installing Microsoft’s March 14, 2017 security update, also known as the MS17-010 update, is an effective means to block Adylkuzz cryptocurrency mining malware from infecting your organization’s physical server. The MS17-010 update fixes the EternalBlue, the security vulnerability exploited by Adylkuzz.

Get a Quality Cryptocurrency Mining Security Solution

To prevent cryptojacking, get a quality cryptocurrency mining security solution. This security solution should be able to detect and block all types of cryptocurrency mining activities, whether they are browser-based or file-based.

At GenX, we offer cybersecurity services that’ll protect your organization’s cloud account and physical servers from cryptojacking.

Leave a Reply

Your email address will not be published. Required fields are marked *