The Rise of Illegal Crypto Mining Hijackers – And Big Tech’s Response

Big tech firms like Google and Amazon are on high alert about cryptojacking threats to their cloud servers. As this type of attack grows more prevalent, consumer awareness remains the key to cyber defense, experts say.

Cryptojacking is a type of cyber attack whereby hackers hijack a computer’s resources and use them to mine cryptocurrencies. The most popular coin mined this way is the privacy coin monero (XMR), which is widely used throughout the dark web.

This piece is part of CoinDesk’s Mining Week series.

The cloud-services providers are essentially renting out apartment buildings to their users, said Wei Xian Tee, Cybercrime Specialized Officer at Interpol. They have limited visibility into what users are doing, and if they peek inside those apartments, privacy issues arise. Hence, there isn’t much that cloud providers can do to prevent users from downloading cryptojacking malware that infects their computers. Instead, when it comes to cryptojacking, Interpol's top priority is to educate the public about the threats this kind of malware poses, so that users can alert authorities, he said.

Read more: What Is Cryptojacking?

Cloud services pool hardware resources, offering them as virtualized on-demand services to paying subscribers. Often taking up city blocks' worth of data center space, these powerful, globally distributed systems are a juicy target for cryptojackers. By hacking into one virtual machine, they can gain access to vastly larger hardware resource pools on these virtualized environments.

Most companies and individuals rely on cloud vendors, such as Google or Amazon, to store data and run applications. When they use these services, they create their own virtual machines on the vendor’s cloud, and share them with staff, who in turn connect them with different devices. This process opens up several attack vectors for the cryptojacker to gain access to a company’s virtual machines, and perhaps ultimately, the vast server resources of the cloud vendor, which can include GPU farms often used by enterprises to train artificial intelligence systems.

Cybersecurity firm SonicWall estimates that the amount of all cryptojacking attacks grew 19% year over year in 2021, with the bulk of the increase coming from Europe.

In its 2021 cybersecurity report, Google Cloud said that 86% of compromised cloud instances were used for crypto mining.

“As cryptocurrency grows in value, some attackers are turning to cryptojacking over ransomware,” Karthik Selvaraj, security research director at Microsoft, told CoinDesk. “Cryptocurrency is here to stay, which unfortunately means crypto thieves are too,” he said.

Cybersecurity firm Kaspersky’s general manager for Southeast Asia, Yeo Siang Tiong, pointed out that as bitcoin prices soared in September 2021, the number of users encountering crypto mining threats reached 150,000 – its highest monthly level. The Russian cybersecurity firm also noted data last year indicating that hackers have diverted resources away from traditional cyberattacks like distributed denial of service attacks (DDoS) to cryptojacking.

The switch to proof-of-stake mining could help curb the growth of cryptojacking, as it would render this type of attack less profitable, Microsoft’s Selvaraj said.

“Microsoft and Intel recently partnered to improve Microsoft Defender for Endpoint’s ability to detect cryptocurrency mining malware,” said Selvaraj. Microsoft uses behavioral and memory scanning technology to “detect both cryptojacking and Infostealers that target wallets,” the security director said.

Endpoint security protects a network, say a corporate cloud network, by securing the devices that connect to it from outside its firewall. These endpoint devices are those that humans, for example a firm’s employees, interface with, like laptops, tablets, etc.

Earlier in February, Google Cloud launched a new product, dubbed Virtual Machine Threat Detection (VMTD), aimed at protecting clients from cryptojacking threats. Google Cloud declined to comment on this story and pointed CoinDesk to the blog post announcing their VMTD.

Read More: Don’t Call It a Comeback: The Unlikely Rise of Home Bitcoin Mining

Unlike Microsoft, Google Cloud’s security solution aims to detect crypto mining malware running in virtual machines by looking at the hypervisor, the software that creates and runs the virtual machines. This method will soften the performance blow compared to traditional endpoint security, the firm said.

“Truthfully no single vendor approach will be sufficient," John Wethington, a cybersecurity expert and whitehat hacker, told CoinDesk. “While you can argue the merits or pros and cons of a specific vendor’s approach it's important to note that those decisions are often made in a vacuum of information by a handful of people, not a single individual,” he said.

Amazon Web Services (AWS), the online retailer’s cloud service provider, refused to comment on this story. A spokesperson said that it is a “credit card/identity fraud issue.” According to cybersecurity firm Cado, AWS was the victim of a crypto mining attack in August 2020. A group known as TeamTNT successfully stole AWS credentials and deployed XMRig, the most common cryptojacking malware, to servers, the firm said at the time.

Alibaba Cloud was also the target of a cryptojacking attack in November 2021, according to research from Trend Micro. A representative from Alibaba Cloud directed CoinDesk to a webpage about their anti-ransomware capabilities and said the firm would not comment at this time.

Unlike other attacks, crypto miners flourish by being stealthy over long periods of time, so that they can mine as much cryptocurrency as possible, Yeo said.

For this reason, “the Golden rule of thumb in this space is not to make a lot of noise,” according to Wethington.

Cryptojackers will “hijack enough devices so that their processing power can be pooled” to create a large cryptojacking network that is more effective in generating income, said Kaspersky’s Yeo. This leads to a “sudden slowing of devices or a rise in cross-company complaints about computer performance,” he said.

However, hackers will often opt for a quiet modus operandi: a distributed low impact botnet of XMRig miners, which are easy to deploy and, “unless something is horribly wrong with the configuration,” cloud customers won’t notice, Wethington said. These attacks are typically run by cryptojacking crews instead of being offered as a service, he said.

On top of the hackers’ cunning methods, users might just think that their computer is getting old and slow when, in fact, hackers are using their resources to mine cryptocurrencies, Interpol’s Tee explained.

Often the malware resides in compromised versions of legitimate software, such that “security scans are less likely to flag the downloaded application as a threat,” Yeo said.

More broadly, organizations are struggling with “multiple cloud providers, non-standard security controls, and a lack of visibility into what is occurring inside of their environment,” VMware’s principal cybersecurity strategist, Rick McElroy, told CoinDesk via email.

Many of the vulnerabilities exploited for cryptojacking are the same as those used in other types of cyber offensive operations, Tee pointed out.

In its cybersecurity report, Google Cloud said 58% of attacked cloud instances had the malware downloaded within 22 seconds of the initial compromise, indicating the hackers used automated tools.

McElroy pointed to an attack on a Kubernetes environment. Kubernetes is an open-source system for automating deployment, scaling and management of containerized applications that has been increasingly popular among tech firms like Spotify and Booking.com.

Read More: Why Some Bitcoin Devs Say Lasers Can Cut Mining’s Energy Costs

Kubernetes options are available on cloud services like AWS and Google, along with their own cloud management software, but the container system can also be configured and deployed independently of providers.

Graboid, a type of worm malware, specifically targeted so-called containers, akin to virtual machines but running on Kubernetes. This shows the innovation of cryptojacking cybercriminals, as well as their improved understanding of the lack of defensive tools protecting Kubernetes environments, said McElroy.

The complexity and sophistication of threats has grown in recent years, said Kaspersky’s Yeo. “The number of unique modifications have also increased by 47% in Q3 2021 in comparison to Q2 2021,” he said. Modifications are changes to the code of a crypto mining application to mine a new token or adapt to new systems.

Interpol’s Tee said cryptojacking attacks are still not as sophisticated as other types of cyberattacks. Crypto-mining scripts can be bought online for as little as $30, research from threat intelligence firm Digital Shadows showed in 2018.

The most popular method of attack is phishing, said McElroy. In 2021, SonicWall observed cryptojacking also spreading through pirated and cracked software.

“Systems that aren’t patched or have configuration issues that are public facing, such as websites or email servers, still remain at the top of the list as well,” he said. Hackers have been known to scan networks for unprotected endpoints; these can be anything from laptops, to virtual machines on cloud servers, to the Internet of Things (IoT) devices like your smart fridge.

In 2019, Interpol found more than 20,000 routers were affected by illegal crypto mining malware. Operation Goldfish, as it was called, took five months and involved law enforcement authorities from 10 Southeast Asian countries. Through these routers, the hackers were able to infect machines, and the mining software was actually running on the background of browsers, Tee said.

“We will start to see a number of edge computing devices used for this purpose," McElroy said, adding that he sees attackers going after soft targets, such as IoT devices. These generally lack “prevention, detection and response capabilities as organizations have prioritized driving up security and visibility inside of cloud environments,” he noted.

The more cryptojackers turn to the growing attack surface offered by IoT devices, the more consumers will have to be aware of the threat to protect themselves.

“To protect against cryptojacking attacks specifically, it’s also necessary to monitor processor usage across all endpoints, including those hosted in the cloud,” Kaspersky’s Yeo said.

Cities across the U.S. are grappling with what it means to have mining operations in their communities. Plattsburgh offers a case study.

Despite favorable business conditions, a country’s political environment can deter international capital. This piece is part of CoinDesk's Mining Week.

CoinDesk reporters traveled across Europe, Asia and North America to capture the diversity of cryptocurrency mining facilities. This piece is part of CoinDesk's Mining Week.

CORRECTION (March 24, 8:58 UTC): Corrects spelling of Interpol's Tee.