Resource hijacking will become more popular as the cryptocurrency mining industry is expected to double in value in the next 5 years. As reported in our Cybersecurity Insights Report for 2022, it is currently worth about $1.6 billion. This growing popularity of cryptocurrencies is seen by attackers as an opportunity, more so as cryptocurrency assets are not governed by governments as they exist in decentralized digital environments and provide an element of anonymity for threat actors. Of the massive rise of cyberattacks seen in the past year, the most preferred method for cybercriminals to extract ransom during a ransomware attack was cryptocurrency.  

Crypto

However, creating a cryptocurrency such as Bitcoin requires an enormous amount of energy – or electricity. Bitcoin uses around 160 terawatt-hours per year. Due to the increasing demand, and the limited amount of energy available, threat actors have turned to hijack resources of unsuspecting victims. Cryptojacking is a type of resource hijacking where the attacker uses someone’s device or resource to mine cryptocurrency without their knowledge. This attack can be executed in a number of ways, with phishing emails continuing to be the popular method of delivering the malicious crypto-mining code on the target device. These maliciously crafted phishing emails, typically attempt to coerce the user to click on a link which then downloads the crypto mining code and run it in the background. Attackers can also infect websites or online adverts with malicious code that can automatically execute once the victim opens the browser page. This has been dubbed as “browser-based cryptojacking”. The main aspect of cryptojacking is that the cybercriminals use stealthy techniques to execute their attack because they want to remain undetected for as long as possible while stealing the victim computer’s power to mine cryptocurrency. 

Resource Hijacking Threat Groups

As listed by MITRE, many threat actor groups seeking financial gain use this technique. For example, the Blue Mockingbird group has used the XMRIG tool as part of a resource hijacking attack. XMRIG is a popular and open-sourced payload used by various cyber criminals to mine Monero cryptocurrency. Unlike the typical phishing email, this group gained entry to the victim device by exploiting a common vulnerability of a public-facing application (CVE-2019-18935). This case highlights the importance of monitoring the National Vulnerability Database to ensure that mitigations are in place for known vulnerabilities. As explained by Red Canary, once the cybercriminal group entered the system, they were able to deploy the XMRIG malware. 

Trend Micro also notes how cybercriminals tend to bundle their malware with a “watchdog” component to make sure that the crypto mining continues to persist in the infected machine. The watchdog component runs in the background to monitor the cryptocurrency miner software performance and the mining process. 

There are various ways this attack can be mitigated. As part of a comprehensive cybersecurity strategy, it is important to consider all the aspects of people, processes and technology when implementing security controls in your environment. 

Early detection

Early detection is key to minimizing the impact of resource hijacking. Organisations should ensure that there is a process in place to monitor resource usage in order to identify a suspicious increase in the use of network resources associated with cryptocurrency mining malware (e.g., memory, or CPU). Network alerts can also be created to monitor for the common crypto mining software names such as XMRIG, which can act as an indicator of compromise. 

As phishing remains to be a popular method for attackers to deliver any malicious software, organisations should implement a cybersecurity awareness training programme. This programme should be carried out on a regular basis and should cover the topic of phishing and cryptojacking threats. Everyone within the organisation should have an awareness of how to spot phishing emails, and the process of reporting suspected successful phishing attempts. As a best practice, phishing simulations should also be conducted on a quarterly basis. These phishing tests ensure that the organisation maintains a good level of phishing awareness, and can identify any training needs. 

The following are common indicators of phishing emails: 

To note that Google Cloud recently launched a new security feature – an agentless cryptojacking malware scanner. This is in response to Google’s Threat Horizons report which highlighted that of the compromised Google cloud instances at least 86% were compromised for cryptocurrency mining. Nowadays, many organisations have been opting to migrate their environment to the cloud and use Virtual Machines operating on Google Cloud. This growth in demand has been spurred on by factors such as the need for remote working and the increasing adoption of hybrid work models. Unfortunately, this popularity is seen by cybercriminals as an opportunity and attract further attacks on cloud environments. 

Author: Mae Patlong,  Information Security Consultant, Smarttech247