Investors, early adopters, and tech-savvy consumers aren’t the only ones interested in cryptocurrency these days. Cybercriminals are now using ransomware-like tactics and poisoned websites to infiltrate company employees’ computers and secretly harness them for cryptocurrency, an exploit called cryptojacking, which is malicious crypto mining. The implications of these attacks go beyond stolen processing power and undermined employee productivity. Simply by penetrating the target organization’s network, the hackers have shown a gaping vulnerability in its cyber defense capabilities.
Designed to escape detection over time, the cryptojacking malware maintains a persistent presence in the company’s environment, posing an ongoing threat to its operations. Defense against cryptojacking malware depends on many of the same tactics used for protection from ransomware and other malware—in particular, a Zero Trust security model. As with other types of threats, the effectiveness of Zero Trust depends on the organization’s ability to keep malware hidden in legitimate traffic from entering its network. This, in turn, hinges on SSL inspection, a process that can have its own negative impact on performance.
To leverage Zero Trust as part of a cyber security strategy against cryptojacking or any other type of malware, companies need to be able to perform decryption, inspection, and re-encryption of network traffic at fast speeds and at enterprise scale, without incurring performance penalties or excessive complexity.
How cryptojacking works
While attacks such as ransomware are designed to announce their presence and force a response from the victim, cryptojacking scripts keep a lower profile to evade detection. They are carefully calibrated to steal just enough CPU processing resources to do their work, possibly tying up help desk resources with troubleshooting and remediation attempts, without actually raising alarms of a cyber security breach.
Growing threat, greater vulnerability
While a ransomware or data exfiltration attack can have a more dramatic impact on an organization, cryptojacking can’t be taken lightly either. For one thing, a successful attack shows that hackers have successfully penetrated the company’s cyber security defenses, showing it to be equally vulnerable to other types of malware.
Designed for continuous resource theft over time, cryptojacking software also allows cyber criminals to maintain an ongoing presence in the victim’s network, possibly paving the way for more serious damage as cybercriminal tactics continue to evolve.
Meanwhile, cryptojacking continues to prove popular among criminal organizations. As companies become better able to detect and mitigate the impact of ransomware attacks, and less likely to pay a ransom, cryptojacking offers a surer return on effort for hackers—especially given the relatively low-level technical skills required. In some cases, hackers simply re-tool delivery methods previously used for ransomware or adware to deliver crypto mining software to the unsuspecting target.
In 2020, some 90 percent of all remote code execution attacks were linked to crypto mining, while cryptojacking has been found to be responsible for 43.2 percent of all Monero cryptocurrency in circulation.
According to the European Union Agency for Cybersecurity (ENISA), cryptojacking rose 30 percent between March 2019 and March 2020. Docker, GitHub, and Kubernetes have all proven fertile ground for crypto mining malware.
Keeping cryptojacking malware out of the network—along with ransomware and every other type of threat—depends on a multi-layered cyber security strategy with Zero Trust at its core. As traditional concepts of secured zones, perimeters, and network segments disappear in the era of cloud computing, remote work, and the evolving enterprise architecture, organizations have to be able to protect against attacks from anyone, anywhere—even insiders with legitimate access.
With Zero Trust, organizations “trust nobody,” inside or outside the network, and use micro-segments and micro-perimeters, restricted user privileges, multi-layered solution integration, and comprehensive visibility to prevent attacks and detect threats wherever they originate.
Network monitoring plays a central role in Zero Trust. Cryptojacking is relatively easy to detect in unencrypted network traffic, especially as endpoint protection and antivirus software vendors add cryptomining detection to their products. However, the vast majority of internet traffic is now encrypted with SSL/TLS, including over 90 percent of the traffic passing through Google services, with similar levels reported by other vendors. This makes SSL inspection a key element of cyber security against cryptojacking and other malware.
The Zero Trust Model depends on full visibility into people and their activities. While widespread encryption has been a boon for data security and privacy, it has also had unintended consequences for cyber security, allowing hackers to hide malware in legitimate network traffic—rendering monitoring solutions and other elements of the network security stack ineffective.
Recognizing this problem, many security vendors have added SSL inspection to their solutions to enable decryption, inspection, and re-encryption of traffic as it enters and leaves the organization. But performing this function in a distributed manner, with separate decryption, inspection, and re-encryption processes, creates network bottlenecks and performance problems that can compromise service quality for business users and customers just as much as cryptojacking malware itself. Meanwhile, the need to deploy private keys in multiple locations across the multi-vendor, multi-device security infrastructure expands the attack surface, increasing risk.
(Sanjai Gangadharan is Area Vice President, South ASEAN, A10 Networks and Babur Khan, Technical Marketing Engineer at A10 Networks)