Security Pros Fear Data Compromise, Financial Loss, and More from Cryptomining. But Are Risks Founded?

Security Pros Fear Data Compromise, Financial Loss, and More from Cryptomining. But Are Risks Founded?

Criminal CryptominingFor over a year now Lastline has witnessed a tremendous increase in malware designed for criminal cryptocurrency mining, or “cryptomining.” Of course, we all know that Bitcoin has been the go-to cryptocurrency for criminal payments in ransomware, but now on the back of Bitcoin’s successful usage in cybercrime, we are seeing the adoption of other currencies in money-making activities by other criminal groups. According to coinmarketcap.com, there are now over 2,000 cryptocurrencies, up from 1300 at the beginning of the year, with new initial coin offerings (ICOs) taking place all the time.

The Rise of Cryptocurrencies Has Lead to a Rise in Criminal Cryptomining

With the rapid expansion of the number of cryptocurrencies, it’s a surprise to no one that criminals are developing malware that acts as coin miners. Generally speaking, there are two types of attacks. The first, criminal cryptomining, is when malware is downloaded onto a machine for the purpose of mining a particular cryptocurrency, which it continuously does until the malware is removed. The second type of attack happens when an unsuspecting victim visits a compromised website, at which point malicious javascript starts the mining process. And it continues to operate on that person’s computer as long as the victim has the infected website open. This activity has been named crytpojacking. Both types hijack the victim’s CPU cycles to mine cryptocurrency on the criminal’s behalf.

So, what happens when an employee’s system is infected with cryptomining or cryptojacking malware? The first reaction is that all malware carries high risk, which is not a bad starting point. Indeed, a recent survey that Lastline conducted at the 2018 RSA Conference found that 65 percent of security professionals are concerned about cryptomining, either as a possible threat or a clear and present danger.

Survey Results Highlight Security Concerns Related to Cryptomining

In a follow-up survey at Black Hat 2018, Lastline surveyed 235 security professionals with the following results:

  • 56% believe that cryptomining will still be the biggest threat in 2019, while 16.7% were unsure, and only 2% think ransomware will regain the distinction as the most popular type of attack.
  • The biggest risks that these professionals believe will result from a criminal cryptomining attack are:
    • Data compromise: 34.9%
    • Financial loss: 28.0%
    • Slower system performance: 18.1%
    • “Land and expand” (see below) by the attackers: 16.8%

But the reality is that cryptomining is an attack with a low risk of serious harm. While security professionals are worried about data compromise and financial loss, all the criminals want are your CPU cycles. This may slow performance, but it doesn’t put IP, financial data, or PII at risk.

What Is the Real, and Potential, Impact of Criminal Cryptomining?

There certainly are potential risks of having one’s network compromised by cryptomining malware. Criminals could – to borrow a phrase from enterprise sales jargon – land and expand, which means to get an initial set of malware installed and the C&C channel operational, and then subsequently download more aggressive malware. Or they could sell their compromised systems to other criminals with other intents. These scenarios are not purely hypothetical – we know Smoke Loader and other loaders install multiple payloads. However, the criminals’ objective is to mine cryptocurrency and have the victim’s computer do that on their behalf for as long as possible. So, why would they risk discovery by changing their game?

There also are regulatory risks to consider. Should an infected system be found to also have access to confidential, private, or proprietary data, then even if the criminal is not actually after the data, that data has been exposed and so the company could be subject to regulatory and public relations ramifications. We have seen organizations notify of possible breaches out of an abundance of caution before actual proof of activity has been established. Certainly, a burden of proof exists to show cryptomining malware presents more of a regulatory risk than other malware infections that may have more nefarious intent.

Perhaps the biggest driver behind the perceived risk of cryptomining malware is security efficacy. It’s understandable that no self-respecting security analyst wants to admit that there’s a hole in company defenses that allows malware of any kind to operate on his or her network. This introduces an intriguing tradeoff – the more time that is spent detecting or remediating cryptomining comes at the cost of possibly missing another, higher risk attack. Every company we talk to is short-handed in their Cyber Defense Initiatives or SOC, so it’s a constant exercise of prioritizing where to spend the limited time. You have to ask yourself: What’s worse: malware that slows down a CPU or malware that’s actively looking to exfiltrate personal and financial data?

Andy Norton

Andy Norton

Andy has been involved in cyber security best practice for over 20 years, specializing in establishing emerging security technologies at Symantec, Cisco and FireEye. In that time, he has presented threat and intelligence briefings for both Bush and Obama administrations, The Cabinet office, the Foreign and Commonwealth office, SWIFT, Swiss National Bank, Prudential Regulation Authority, the Bank of England, The Hong Kong Monetary Authority and NASA. Returning to Europe from Asia in 2011, he has spent the past 5 years helping many of the FTSE 250 companies measure, manage and respond to cyber incidents.
Andy Norton