Attack Technique
Cryptomining attacks
Cryptomining attackers use corporate infrastructure to mine cryptocurrency. They drain resources and increase operational costs, and are a sign of dangerous security gaps. Here’s what defenders need to know.
Definition
What is a cryptomining attack?
A cryptomining attack, often referred to as cryptojacking, refers to the unauthorized use of computing resources to mine cryptocurrency. Unlike traditional cyberattacks that seek to steal sensitive data or launch ransomware, the primary goal of a cryptomining attack is to generate cryptocurrency profits for the attacker.
How it works
How do cryptomining attacks work?
A cryptomining attack occurs when an attacker installs malware — also known as a cryptojacking script — on a victim's machine, which then harnesses the CPU, GPU, or other computational resources to mine cryptocurrencies like Bitcoin, Monero, or Ethereum. This allows the attacker to conduct seemingly legitimate cryptomining activities: Cryptocurrencies leverage databases called blockchains consisting of "blocks" of recent transactions that are frequently updated using a complex mathematical process. Producing new blocks requires computing power, which individual “minors” exchange for small amounts of currency. Cryptojacking allows attackers to do this at scale.
Attackers sometimes use phishing emails or compromised software updates to install cryptomining malware on laptops or even mobile devices — though phones have less processing power, infecting a lot of them at once makes it worthwhile.
In many instances, cryptojacking scripts are deployed through web browsers or online ads. Attackers also use browser-based cryptojacking to inject malicious JavaScript code into websites. When someone visits an infected site, the script begins mining cryptocurrency using the visitors' devices without their consent. This type of cryptojacking doesn't require malware installation and stops once the user leaves the site.
Why attackers use it
Why do attackers use cryptomining attacks?
Attackers use cryptomining—specifically illicit cryptomining or "cryptojacking"—to generate financial gain by harnessing the processing power of compromised systems without the owners' consent. By infecting computers, servers, or even Internet of Things (IoT) devices with cryptomining malware, attackers can mine cryptocurrencies like Bitcoin or Monero, profiting from the victims' resources. Here are the primary reasons why attackers engage in cryptomining:
Financial gain
- Direct profit: Mining cryptocurrencies can be lucrative, especially when attackers leverage numerous compromised devices to mine collectively.
- Cost avoidance: Attackers circumvent the substantial costs associated with purchasing mining hardware and electricity, maximizing their profits.
Anonymity and ease of monetization
- Difficult to trace: Cryptocurrencies offer a degree of anonymity, making it challenging for authorities to trace transactions back to the attackers.
- Global accessibility: Attackers can operate internationally without the need for traditional banking systems, reducing the risk of financial detection.
Low risk compared to other cybercrimes
- Less detection: Cryptomining malware often runs silently in the background, making it less likely for victims to notice immediate impacts compared to ransomware or data theft.
- Legal ambiguity: Since cryptomining doesn't always involve data destruction or theft, it sometimes receives less attention from law enforcement.
Scalability
- Wide target range: Attackers can infect a vast number of devices, including personal computers, enterprise servers, and IoT devices, increasing mining output.
- Cloud exploitation: Compromising cloud infrastructures allows attackers to utilize significant computational resources, amplifying their mining capabilities.
Resource exploitation
- Utilization of idle resources: Many systems have unused processing power that attackers can exploit without significantly impacting performance, delaying detection.
- Bypassing energy costs: Victims bear the increased electricity costs, allowing attackers to profit without overhead expenses.
Ease of deployment and automation
- Automated tools: Attackers use sophisticated malware and botnets to distribute cryptominers efficiently across numerous systems.
- Exploiting vulnerabilities: They capitalize on unpatched software, weak security configurations, and social engineering tactics to infect devices.
Complementary to other attacks
- Dual-purpose malware: Cryptomining malware can be combined with other malicious activities like data theft or ransomware, maximizing the attacker's return on investment.
- Persistent presence: Establishing a foothold in a system allows attackers to perform ongoing malicious activities beyond cryptomining.
Platform Detections
How to detect cryptomining attacks
Cryptomining attacks can be difficult to detect since they’re designed to stay hidden. But there are ways to watch for it, such as paying attention to device lags and increases in CPU usage. However, this observational approach requires reliance on employees to report performance issues — if they even notice them in the first place. A more reliable method is to use AI and machine learning.
Vectra AI has built AI-driven detections designed to find attacks based on their behaviors. This includes a cryptocurrency mining detection focused on identifying unauthorized use of an organization's computing resources to mine cryptocurrencies.
