Cryptojacking

In this blog post, we examine what cryptocurrency is, how it works, and how its fundamental principles of operation can encourage the illicit activity known as cryptojacking. We also investigate the scale of the problem to date, and how it can best be guarded against, as well as detected should it occur.

Cryptocurrency has existed for only around a decade at this point in time and is still considered to be in its infancy. As with any financial system however, it has already attracted significant attention from those looking to “get rich quick”, whether by fair means or foul. Due to the unique paradigm on which it is based, many of the methods used to try and exploit the system for financial gain are peculiar to cryptocurrency, rather than threats that also face traditional financial systems. One such activity that has garnered significant attention is that of “cryptojacking”, a technique for generating a profit via cryptocurrency that is at least ethically questionable, and very often criminal, in nature.

In this blog post, we examine what cryptocurrency is, how it works, and how its fundamental principles of operation can encourage the illicit activity known as cryptojacking. We also investigate the scale of the problem to date, and how it can best be guarded against, as well as detected should it occur.

 

 

What is Cryptocurrency?

 

A cryptocurrency is a financial asset that exists as a digital entity only, rather than in a physical medium, and which uses peer-to-peer cryptographic techniques (named blockchains) for operations including asset creation, and distribution and verification of ownership. Although not exclusively so, many of the most prominent cryptocurrencies also incorporate the principles of decentralization, in which they aim to be free of the constraints of traditional currencies in being issued or regulated by central banks or other centralised authorities and/or state institutions.

 

 

 

Although termed “currency”, their use as legal tender in the traditional sense has been extremely limited and very much secondary to date to their use as a speculative asset for investment. Many cryptocurrencies are best viewed currently at least as a form of traded stock or investment scheme rather than a currency and are subject to significant volatility in value.

 

 

What is the point of cryptocurrency?

 

Cryptocurrencies are a relatively new paradigm for money (or traded assets at least). The advantages of cryptocurrency that are most frequently quoted by proponents are that they can offer a streamlined alternative to existing financial architectures, free of regulation, central control or processing fees and transaction charges. The decentralized operation of many cryptocurrencies (which we shall outline shortly) make it possible for transacting parties to exchange value independently of central financial institutions such as banks and clearing houses.

Since cryptocurrencies are not in many cases controlled by state institutions the argument is that they are not subject to many of the issues or threats to traditional currencies, such as inflation, central bank control and devaluation, bank runs and financial market crashes. The images of people queuing outside banks to try and withdraw their money in times of crisis, only to be turned away or leave with wheelbarrows full of worthless cash insufficient to buy a loaf of bread are intended to be impossible under a cryptocurrency system.

 

 

 

What potential problems are there with cryptocurrency?

 

However, the recent history of cryptocurrency has shown that it has in many cases simply swapped one set of issues with another. Much of the history of cryptocurrency systems to date is at the very least murky and often quite nefarious, with claims of Ponzi schemes, price manipulation, wash trading, and predatory behaviour. The price of Bitcoin, one of the two most popular cryptocurrencies, has fallen by more than half of its 2021 peak value at the time of writing, with billions of dollars of value lost in a matter of hours.

Quite apart from the problems and questionable practices within the cryptocurrency markets themselves is the use that cryptocurrency is put to. Although perhaps nobly envisaged initially as a way of freeing finance from the greedy grasp of large financial institutions and central state government, it turns out that deregulated and pseudo-anonymous finances deliver – perhaps unsurprisingly – a very appealing proposition to criminals and those very governments that were most distrusted in the first place. Cryptocurrencies have therefore found themselves used on a massive scale in illegal activities including money laundering, illicit purchases on the dark web, adoption in financial trades by states looking to avoid sanctions, and in facilitating a payment system to support ransomware attacks – malware that encrypts data in order to make it unavailable to its owners and holds the decryption key hostage until victims pay the perpetrators.

 

How is cryptocurrency generated?

 

 

Just as with traditional currencies, it is possible for cryptocurrency within a given cryptocurrency system to be created or “minted” by a central authority and issued to institutions or users. However, the greatest adoption of cryptocurrencies to date has been within systems that are architected based on a model of decentralized control. In this form of cryptocurrency, there is what is known as a distributed ledger technology (typically a blockchain) that serves as a public record of all financial transactions within the system, but which is redundantly distributed across and calculated by a dispersed system of nodes.

The decentralized model often also incorporates what are perhaps some of the most novel aspects of cryptocurrencies as well as the most controversial: known as “proof-of-work” systems, these leverage computational power (brute force) to perform extremely resource-intensive cryptographic calculations that underpin the currency’s operation.

These proof-of-work systems operate by a system commonly referred to as mining which combines two essential activities: in distributed cryptocurrency networks, mining is used to perform calculations that confirm the validity of transactions made within the cryptocurrency (such as a transfer of assets). However, in order to incentivise nodes to perform this function and to contribute to the processing power of the network the first node to solve the cryptographic function is rewarded via the issue of some of the cryptocurrency itself.

 

Due to the way that the system is designed, each transaction requires multiple proofs to agree in order to verify the transaction, and because of the uncertainty involved in breaking cryptographic keys, it is not known whether the first calculation you perform, or the 50-millionth will be the one that is successful. Multiple cryptominers therefore compete to solve the hashes that are required to validate a particular transaction. “Mining” is therefore a good analogy for the activity because whilst there is no guarantee of reward on a given day, based on probability returns are guaranteed over a sufficiently long time period – “striking it rich” and finding a gold vein or diamond after perhaps months of digging.

These properties of decentralized or distributed cryptocurrencies have led to staggering amounts of computer resources being dedicated to crypto mining internationally (some estimates claim an amount of electricity consumed greater than that of the entire country of Switzerland for example). This has led not least to major environmental concerns, but also greatly incentivised less ethical parties from considering how they can subvert the computing power owned by other individuals for their own purposes in crypto mining, as we shall see shortly.

 

 

How can crypto mining be performed?

 

As we saw above, crypto mining relies (by design) on the computation required for calculations to be extremely “expensive” in terms of computer resources. As with all computationally expensive computer tasks, the time to deliver a solution scales with the number of operations that can be performed per second. Within computing, scaling is described as being either vertical or horizontal. Vertical scaling describes adding more power to current machines and is one approach taken in traditional supercomputer design for example, to tackle calculations such as weather forecasting and the modelling of nuclear explosions or galaxy formation.

However, the decentralised nature of cryptocurrency means that it lends itself much more readily to horizontal scaling – adding additional nodes to perform the computation on. Crypto mining isn’t the first arena to take advantage of distributed computing power – various projects such as gene sequencing initiatives through to the search for extra-terrestrial intelligence in radio wave signals have all been associated with organised (and legitimate) distributed computing initiatives.

 

 

 

What is cryptojacking?

 

Cryptojacking is a perhaps obvious consequence of the combination of these two factors within crypto currency: its distributed nature, and the requirement for computationally expensive “proof of work”. Since there is direct financial incentive to leverage as much computational capacity as possible to perform crypto mining, it doesn’t take a significant leap of imagination for users to start considering how they can leverage greater resources to tackle the problem than they have legitimate usage rights to.

Perhaps initially this might have taken the form of co-opting resources such as employer server equipment and unused workstations to provide additional computational power, but more recently the scale of this type of activity has spread to individuals attempting to subvert and leverage thousands of consumer computers to perform crypto mining on their behalf.

This “cryptojacking” as it is often termed involves hijacking a computer (or more commonly, a very large number of computers) to mine cryptocurrencies without the legitimate user’s knowledge.

 

 

 

How is cryptojacking performed?

 

Cryptojacking relies on a system being co-opted to perform a task without its owner’s knowledge or permissions. In that respect, it shares a lot in common with other forms of malware. Unlike other forms of malware such as ransomware however, cryptojacking relies on establishing a persistent presence, since the reward for subverting a host continues to scale the longer that the attacker can co-opt its resources to perform crypto mining without being detected.

 

 

How does cryptojacking relate to web applications?

 

Although there are many forms of malware and malware delivery that can install a crypto mining agent onto an unsuspecting user’s PC, the form of cryptojacking seen within web applications relies on malicious JavaScript that is client-based and executes within the web browser.

“Coinhive” is a piece of code written in JavaScript that had initially legitimate usage intentions, in that website owners could simply embed it in their website and deliver revenue via an alternative model to the use of online ads. Website operators could remove ads from their websites (which many users find annoying, and which are increasingly difficult to monetize to any significant degree) and ask visitors to load Coinhive instead. While users were browsing the website, the JavaScript would use their PC resources to mine for cryptocurrency. The visitors to the website would collectively represent the distributed group of nodes that are required to do the intensive computational work required.

However, although Coinhive and similar scripts may have been established with noble intentions originally, they soon became leveraged in a couple of ways that were at least unethical and arguable criminal in nature. The two primary types of such activity are:

  1. Illicit websites that do not explicitly ask visitors’ consent prior to executing crypto-mining scripts in their browsers, nor provide them the option to opt-out from such activity; and
  2. Legitimate websites that have been co-opted against their operator’s knowledge to inject visitors with crypto-mining JavaScript via a hijacked supply chain, cross-site scripting vulnerabilities or similar.

 

 

For organisations, both forms of risk are present: both of their employee’s machines being co-opted into crypto mining when they are browsing other websites; but also, of their own website being used to distribute malicious crypto mining JavaScript to legitimate visitors if their website has an XSS vulnerability or similar. This latter form is perhaps most damaging for a company’s reputation.

 

 

 

What is the impact of cryptojacking?

 

Cryptojacking malware is unlike many other forms of malware in that it is designed to remain unobserved, so there is most often no visible impact or immediately catastrophic outcome as in the case of ransomware. Rather, infected hosts will generally simply begin to perform poorly and struggle to perform certain tasks, since some sizable portion of their CPU activity is being diverted towards the crypto mining effort.

Perhaps most seriously however, once the crypto mining malware is installed it can also potentially perform other actions, such as attempting to distribute malware to other hosts, or open a “backdoor” for system access whereby the infected host can be recruited into a more sophisticated centralised botnet to perform further mining efforts or potentially other forms of exploitation and attack, such as DDoS (distributed denial of service) attacks.

 

 

How can you prevent cryptojacking?

 

Some measures that would completely prevent cryptojacking via in-browser techniques, such as disabling JavaScript entirely, are simply not practical in the modern web. The best protection that can be afforded to client PCs is to install robust and proven antivirus/anti-malware solutions on all end user PC equipment, and to ensure that they provide full endpoint protection including dynamic evaluation of executing JavaScript using sandbox and other techniques. It can also be useful to check with firewall vendors, endpoint protection vendors and internet service providers to see if either support dynamic “blocking lists” of known malicious IPs and domains. Known as “Doman Name System Blacklists” or DNSBL’s, these have primarily been used for email spam prevention, but some vendors now offer similar lists to prevent outbound connections to malicious domains across a broader range of services.

 

From the perspective of operated web services, there are several additional preventative measures – in addition to the same measures as for clients outlined above – that can be deployed. In addition to ensuring that server hosts are covered by capacity and performance management tooling that monitors and alerts on unusual or excessive resource usage, it is also possible to take steps to ensure that web hosts do not inadvertently distribute malicious JavaScript to website visitors. In general, many of the same steps as used in the prevention of Cross-Site Scripting (XSS) are useful preventive measures (Cross-Site Scripting – AppCheck). It can also be worthwhile ensuring that all JavaScript delivered to clients is hosted locally and not called from third-party platforms, in turn protecting client’s from malicious JavaScript libraries that have been hijacked as part of the supply chain. Where this cannot be avoided investigate the use of HTTP security headers such as the Content Security Policy to limit how external content is loaded into a client’s browser as well as utilizing  Sub-Resource Integrity (SRI) verification to ensure that the JavaScript contents have not been modified (Secure Inclusion of Third Party Content – AppCheck).

Lastly, a vulnerability scan using a scanner such as AppCheck can help detect both in-place crypto-mining JavaScript, as well as vulnerabilities such as XSS that could be leveraged by attackers to deploy cryptojacking malware in the future, allowing you to mitigate issues before they can even become established.

 

 

 

How can AppCheck Help?

 

AppCheck performs comprehensive checks for a massive range of web application vulnerabilities – including client-side malicious JavaScript such as cryptominers – from first principle, to detect vulnerabilities in in-house application code.

The AppCheck web application vulnerability scanner has a full native understanding of web application logic, including Single Page Applications (SPAs), and renders and evaluates them in the exact same way as a user web browser does. This includes all client-side JavaScript, allowing it to be evaluated and analysed. Our custom JavaScript Crypto Miner detection module works by loading each page within a sandboxed web browser and then detecting attempts by the browser to communicate with Crypto Mining services. Using this technique means that we are not dependent on matching “known” crypto mining code only but can detect new and even obfuscated code. Using our partnering “JavaScript Library Validation” module we can even detect obfuscated libraries such as cryptominers that are dormant at the time of the scan.

The AppCheck Vulnerability Analysis Engine provides detailed rationale behind each finding including a custom narrative to explain the detection methodology, verbose technical detail, and proof of concept evidence through safe exploitation.

 

 

About AppCheck

 

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).

 

Additional Information

As always, if you require any more information on this topic or want to see what unexpected vulnerabilities AppCheck can pick up in your website and applications then please contact us: info@localhost

Get started with Appcheck

No software to download or install.

Contact us or call us 0113 887 8380

About Appcheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)

No software to download or install.
Contact us or call us 0113 887 8380

Start your free trial

Your details
IP Addresses
URLs

Get in touch