Late in 2017, we witnessed a frenzy in the cryptocurrency markets as the price of Bitcoin nearly reached $18,000 USD. This led to a gold rush mentality as everyone looked to cash in on this new commodity. Unfortunately, this gave rise to a new type of malware: cryptojacking.
Cryptojacking is a combination of the words "cryptocurrency" and "hijacking". Put simply, your PC/laptop, mobile device, or server is used to mine cryptocurrency for someone else. This type of malware doesn’t want to hold your data hostage as we see with ransomware -- it wants to steal your computational (CPU) resources. This is because cryptocurrency mining requires computing complex calculations to generate the hashes needed to earn the virtual reward.
Cryptocurrency mining is a struggle to balance profitability vs. costs. When a cybercriminal uses cryptojacking malware, the entire cost burden is shifted to the victim’s device. The CPU power and electricity (energy) cost is left to the user, who in many cases is unaware such illicit activity is taking place.
Cryptojacking malware can affect any device that has the ability to perform the mathematical computations needed for mining (hashing) for cryptocurrency. While a single device may not mine large sums of cryptocurrency, cybercriminals look to enslave as many devices as possible to maximize their profits.
This is why you need operational awareness on how your resources are being consumed.
Recently, I worked with Paessler to document a use case of PRTG to monitor well-known websites infected with cryptojacking malware. PRTG allowed me to continuously monitor the affected websites and notify me once the malware was removed. This same principle applies to your infrastructure, whether it be a bare-metal server on premises, or a virtual machine in the cloud. PRTG provides valuable monitoring data that can alert you before you’re stuck with higher energy bills or cloud resource overages.
Resource monitoring is easy to setup in PRTG, which offers a full suite of CPU sensors for many major vendors and applications. For Windows users, I recommend using WMI sensors to monitor CPU usage. For Linux users, PRTG offers two sensor types to monitor CPU usage: SNMP and SSH. Many devices support these common protocols and setup is a breeze. Cloud providers are also supported by PRTG. The Amazon CloudWatch sensor provides a wealth information to monitor CPU usage and your EC2 CPU credits.
Each sensor type can be customized to the configuration that fits your operational requirements. For example, if you know your server typically runs at 60% CPU usage you can change the thresholds to alert you only above that amount. In the case of cryptojacking malware, it’s important to monitor for sustained CPU usage and not occasional spikes. PRTG allows you to set a required duration (poll cycle) of downtime before alerting you.
In addition to monitoring your infrastructure with PRTG, I recommend stopping cryptojacking at the network level by blocking known domains and IP addresses tied to illicit cryptomining. A frequently updated list of these domains is available via the open-source CoinBlockerLists. Endpoint protection is also critical to prevent cryptojacking from happening via a web browser. While most enterprise AV products now block most forms of cryptojacking malware, I recommend using the browser extension minerBlock to ensure maximum protection.
Cryptojacking is a trend in the malware industry that isn’t going away anytime soon. With the proper protection and monitoring, you ensure your risk is minimized from this new threat.
I discuss all of this in a lot more detail in an episode of the Packet Pushers podcast. You can also keep yourself updated on Internet security topics on my Website, Bad Packets Report, and follow me on Twitter.