The Rise of Cryptojacking: Effective Detection and Prevention

Andy Ye

Andy Ye

June 12, 2018

With the growing popularity of cryptocurrency around the globe, a new form of cybersecurity threat called cryptojacking is becoming a big concern. In late 2017, Malwarebytes reported 8 million daily malware blocks, with each detected incident possibly being cryptojacking. Early this year, CSO listed cryptojacking “gold rush” as the No.1 of Top 5 cybersecurity concerns for 2018.  In response, we need to take a closer look at this threat and how to effectively detect and prevent against cryptojacking attacks.



Simply put, the reason cryptojacking is so popular is that it’s a highly efficient way to get more money with less risk. It’s a cheaper and more profitable alternative to other attacks such as ransomware. While there is a very low percentage of ransomware cases eventually paid, almost 100 percent of cryptojacking-infected machines can be used to mine cryptocurrency, which has value. Also, the risk of being identified and caught is lower than other attacks. The cryptojacking code can run secretly and go undetected for considerable amounts of time. Even if discovered, it’s quite difficult to trace cryptojacking back to the source of the attack. Finally, unlike other attacks that might cause loss of data or damage to the physical entity used, the motivation to find and prosecute attackers is not high since there’s no damage, disfunction or visible loss in cryptojacking.



According to Symantec, in the early stage, cryptojacking is essentially “in-browser” cryptomining.  However, more and more people consider that any cryptomining activities which are not intentional should be considered cryptojacking. Also, to clarify, there are generally two types of cryptojacking methods, server-based and in-browser based.

For the in-browser case, the cryptojacker injects lines of JavaScript, which then mines cryptocurrency within web browsers. The server method runs mining code directly on the server infrastructure.  From the server side, both methods involve an attacker getting code to run on a server. Before we begin a deeper discussion of cryptojacking detection and prevention, let’s first examine how it works.



Let’s start by looking at a typical in-browser cryptojacking case called Coinhive. Coinhive is a JavaScript library launched in 2017. Coinhive mines a cryptocurrency called Monero (XMR). The algorithm used to calculate the hashes, called Cryptonight, was designed to run well on consumer CPUs. It allows a website to use the client computer to mine Monero cryptocurrency offering site owners an alternative to online advertising. The money mined by the browser-based hosted scripts is credited from Coinhive to the website Owners/Administrators. Using Coinhive, an individual can get the number of hashes solved for a user account, withdraw hashes, verify tokens and programmatically create short links. Unlike popular miners, Coinhive does not provide any specific information about the account owner because of the privacy terms.

On the other hand, the elastic computing power of large data centers and cloud infrastructures are an easy target for cryptojacking attackers, because they can enable attackers to virtually spawn and control large mining farms. However, it does require more sophisticated methods to be used. It requires an attacker to carry out multiple steps: finding server to exploit in the data center, planting mining code onto the initial compromised server, spreading the mining code laterally onto other servers, then coordinating and mining those data center servers.

Just with this explanation, we can see that in-browser cryptojacking is simpler and therefore prevention is relatively easier.  There are already free browser plugin extensions available, such as nocoin or coinblock, which can block cryptojacking on endpoints. These tools can help protect against in-browser cryptojacking.

Because there are solutions for in-browser cryptojacking, detection and prevention of cryptojacking in the data center has become the main challenge for all the security vendors. Before we take a specific look at what ShieldX Networks can do as a solution for cryptojacking, let’s examine more around data center cryptojacking.



 As mentioned above, code used for cryptojacking can run stealthily and go undetected for a considerable length of time. And it is quite difficult to trace back to the source. In the cryptojacking cases that were reported in the recent months, there is still no substantial cost disclosed. There are multiple reasons for this. The cryptojacking cases were mostly disclosed by 3rd parties. The motivation to find the attackers and disclose negative impacts was low. Yet, because of the nature of cryptojacking attack, it’s easy to conclude that cryptojacking can cause severe impacts.  First, a victim’s computing power is stolen which would ultimately cause data center’s bills to skyrocket. Also,  performance goes down. Not to mention the impact to a company’s brand if the fact they were a victim of cryptojacking was disclosed. All of these impacts is why CSOonline listed cryptojacking as the number one of five top cybersecurity concerns in 2018 for the CSO.



Leveraging the EternalBlue vulnerability to infect Windows servers is just one way for attackers to access fast amounts of data center computing resources. Hackers also know that Apache Struts(CVE-2017-9805) vulnerability impacting struts REST plugin with XStream handler, which was used during the Equifax data breach, can be used compromise and gain persistency on Linux-powered machines. Daisy-chaining exploits combined with persistency tools can compromise servers and automatically propagate across networks, which enables attackers to successfully plant mining software and then leverage cloud computing power.



To fully understand how cryptojacking happens in the data center, we will examine the well-known Tesla case. According to RedLock’s CSI team, the hackers went through the following stages:

  • The hackers had infiltrated Tesla’s Kubernetes console which was not password protected.
  • Within one Kubernetes pod, access credentials were exposed in Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that contained sensitive data such as telemetry.
  • Hackers then planted a cryptojacking tool and performed crypto mining from within one of Tesla’s Kubernetes pods.



Cryptojacking running in Tesla’s K8s pod



As we’ve seen, the execution of cryptojacking in a data center can be very stealthy. The attacks progress quietly through the described stages: compromising the admin console, exploiting discovered vulnerabilities, delivering mining software to the first compromised system, spreading the mining software laterally within the cloud, and finally the actual mining. However, all mining software, whether file-based or fileless, must connect to either the cryptocurrency network or a mining pool to exchange data and fulfill the blockchain’s proof-of-work duty. This creates a proof-of-footprint, which can be used to accurately identify and prevent cryptojacking activities.

ShieldX Labs recently revealed new categories of cloud security threats. The Tesla case falls into several categories of cloud attacks. The infiltration of Tesla’s Kubernetes console is a typical “Orchestration Attack”. Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 indicating that both “Cross-tenants” and “Cross-workloads Attacks” happened. These very new and cutting-edge type of attacks cannot be detected with standard security solutions.

In order to detect cryptojacking vulnerability exploits in cloud environments, a security solution must be able to detect mining applications and catch the mining software (malware) as it moves towards the service applications and functions.  It must also be able to detect lateral movement between applications and functions. Furthermore, the solution must also perform across a multi-cloud environment to cover the breadth of popular cloud services that enterprises are using today —including VMware, OpenStack, AWS and Azure.

ShieldX’s cloud security platform, ShieldX Elastic Security Platform, represents the game-changing evolution of security that is needed to automatically identify and stop advanced attacks like cryptojacking in environments where traditional security controls are no longer sufficient. Built on the foundational US patent (#9,716,617), a “hierarchy of microservices that can be utilized to deliver a multitude of auto-scaling security functions,” ShieldX Elastic Security Platform follows our Serverless Security Philosophy. This innovation enables ShieldX Elastic Security Platform to quickly and economically scale to secure modern cloud and virtualized data centers with automated provisioning and enforcement of both dynamic and static rules as needed to identify and stop an attack in progress.

With unique Deep Packet Inspection (DPI), Indicator Of Pivot (IOP), and anomaly detection engines, ShieldX Elastic Security Platform has detection capabilities that address all stages of attack used in the Tesla case. Starting with a whitelist of approved application behaviors, ShieldX Elastic Security Platform then uses application elements and connectivity patterns to automatically construct and recommend policies. With the DPI ability to map protocol—such as http running on port 12345 instead of port 80 or 8080—ShieldX Elastic Security Platform can even detect mining pool activity that is happening on non-standard ports. ShieldX Elastic Security Platform’s continuous behavioral learning and automation capabilities help enterprises rapidly protect their network resources against this new menace and other variants that are sure to follow.