‘Cryptojacking’, i.e. using unsuspecting users computing resources to mine cryptocurrencies surreptitiously, is becoming increasingly common. In the latest such incident, crypto mining malware designed to mine Monero (XMR) cryptocurrency was used to infect Linux server, taking advantage of five-year-old security vulnerability.
Cryptocurrency mining is a complex, resource-intensive, and competitive process. A combination of specially designed hardware, special-purpose software, and their users is called “Miner”. A miner is successful in his effort when he creates a new block in the blockchain underlying the cryptocurrency in question. Miners get a small fraction of the cryptocurrency when they are successful in creating a new block. Since miners are rewarded in this way for creating new blocks, the process is highly competitive.
To create a new block, a miner has to solve a cryptographic puzzle, essentially by executing massive number-crunching operations very fast, in a competitive environment. This is why the software is typically very powerful, and the hardware also has to be powerful enough to support the software. Miners often use Graphics Processing Units (GPUs) along with the Central Processing Unit (CPU) of the computer.
While the early adopters of cryptocurrency mining had good return on investment (RoI), as time wears on, the RoI diminishes, due to the environment becoming increasingly competitive. Consider the fact that usually there is a cap on the maximum number of a cryptocurrency, for e.g. 21 million for Bitcoin, and you can see that in future the RoI from mining will diminish further. The economics of mining is such that unscrupulous miners will want to grab other people’s computing power to mine cryptocurrencies, since doing so gives them access to larger computing powers and increase their chances of creating a new block.
Cryptocurrency mining code being highly resource-intensive, it can slow down the computer or even damage it. For a user who is not into cryptocurrency mining, having her computer hijacked by miners can be very irritating, and potentially damaging.
In the latest incident, as reported by the American cyber-security company Trend Micro, the hackers took advantage of a five-years-old vulnerability in the Network Weathermap plugin for Cacti. The bug allowed hackers to execute code in the underlying servers. The hackers took advantage of this and installed a customized version of XMRig, i.e. an open-source Monero mining software.
The attackers devised an automated way of checking in on the malware every three minutes, to see if the system has been shut down, and thus maximized uptime. The attackers also made the XMRig perform in a low-key manner, by limiting the CPU resources used, to avoid being detected.
Trend Micro has reported that the patch for this vulnerability has been available for five years, however, many computers haven’t been patched, and that’s how the hackers were able to exploit this. Trend Micro and other cyber security companies strongly recommend keeping computers updates, by regularly updating and patching their software, especially web browsers. Regular patching would have avoided this particular instance of attack.
This latest instance is just one in a long chain of cryptojacking incidents, for e.g.:
- In March 2018, a crypto mining malware had infected nearly 500,000 PCs within a few hours;
- In January 2018, crypto miner code for Monero had targeted DoubleClick, i.e. Google‘s popular ad serving service.
- In December 2017, an American businessman had found that his laptop was infected with crypto mining code for Monero, when he connected his laptop to the in-store WiFi of a Starbucks coffee shop in Buenos Aires, Argentina.