Organisations need to watch for ‘low and slow’ intrusions amid spike in cryptojacking activity

Throughout 2021, the CrowdStrike Falcon OverWatch managed threat hunting service has seen cryptojacking intrusions more than quadruple compared to last year.

These intrusions have been observed across 14 distinct industry verticals, illustrating just how widespread and opportunistic this activity has become.

Cryptojacking describes the practice of deploying cryptocurrency coin mining software or leveraging malicious code embedded within web pages to hijack a victim’s computing resources for financial gain.

Cryptojacking tools can be easy to deploy – in many cases, the tools can be installed with just standard user-level accounts, meaning adversaries do not require administrative credentials to deploy their tooling. With hands-on cryptojacking on the rise, organisations need to recalibrate their understanding of the risks posed by financially motivated adversaries.

The potential impact of cryptojacking

Cryptojacking is yet another way criminal adversaries can monetise an intrusion. It is seen both as a standalone attack or employed in combination with ransom techniques such as data encryption or data extortion.

However, the risks and impacts associated with cryptojacking intrusions should not be underestimated.

Not only can cryptojacking tools significantly degrade system performance and consume excess energy, but crucially, the presence of these tools can highlight significant gaps or deficiencies with respect to the integrity of an organisation’s security posture.

VIEW ALL

What has changed in 2021?

Cryptocurrency prices have spiked to unprecedented heights in recent months. Criminal adversaries, looking to profit from these inflated prices, have responded en-masse by incorporating cryptojacking into their toolset.

It is likely that cryptojacking is under-reported because of the less stringent reporting obligations where an intrusion does not involve a data breach.

In addition to an overall increase in cryptojacking activity in 2021, OverWatch threat hunters have observed adversaries going to greater lengths to employ stealthy techniques to avoid discovery by automated defences.

Hunting for a hidden threat

In cryptojacking intrusions, adversaries prioritise stealth as they aim to maintain their mining operations for as long as possible. In the hands-on cryptojacking activities that OverWatch has uncovered, adversaries routinely leverage compromised user accounts to access victim computers without raising an alarm.

After gaining access, adversaries make use of tools and software already present on a victim computer to avoid detection.

In one intrusion, in a Windows-based environment, the adversary used in-built scheduling functionality to ensure that their cryptojacking tool ran persistently in the victim environment, even after the computer was restarted.

Further, because high GPU usage can be a telltale sign of cryptojacking activity, the adversary made configuration changes to make their tool run “low and slow”.

This illustrates that they were prepared to compromise output in order to maintain stealth.

In another intrusion, against a Linux-based environment, the adversary used in-built functionality to make their tool run more efficiently.

The likely goal of which was to avoid memory being exhausted which could cause the affected computer to crash, alerting defenders to the adversary’s presence.

Adversaries are going to great lengths to stay hidden on victim computers, which begs the question – how can organisations fight back?

What can my organisation do?

Basic security hygiene is crucial as adversaries will always exploit low-hanging fruit. Timely patching of systems following vendor updates is the best defense against the wave of opportunistic intrusions that routinely follow the announcement of a widespread vulnerability.

Establishing an unauthorised software policy can be helpful in preventing cryptojacking tools from being successfully installed on your computers in the event that an adversary does gain access to your network.

OverWatch specifically looks for interactive intrusions, whereby human adversaries actively work to circumvent technology-based controls. To assist in being able to identify and defend against these types of intrusions, it is important to know your environment, and understand what normal operations look like.

This is invaluable in identifying activity that deviates from the norm. Further, the stealth demonstrated by modern adversaries is a reminder of the need for 24/7/365 vigilance.

A threat hunting team can continuously and proactively seek out the faintest traces of potentially malicious activity to allow for the detection and disruption of adversaries before they can do damage.

The uncomfortable reality is that criminal groups are more capable and well-resourced than ever before.

Criminal groups have routinely demonstrated skill at following the money, and adaptability in changing their business practices to maximise profits.

The rise of cryptojacking is just the latest evolution in adversary tradecraft, and now more than ever, it is crucial that organisations do not underestimate the opponent.

Continuous threat hunting, powered by human ingenuity, works in tandem with technology-based defences to provide the most comprehensive security against today’s increasingly pernicious threats.

Nick Lowe is the director of Falcon OverWatch at CrowdStrike.