The Rising Trend of Cryptojacking

Cryptojacking is on the rise and is a particularly nefarious threat because it is hard to detect.  Once your system has been cryptojacked, malicious cryptocurrency mining software runs silently in the background, robbing you of your precious computing power and often staying just under the threshold of easy detection.

We wanted to bring you an expert’s insights into cryptojacking so we spoke with Jacob Serpa, Product Marketing Manager at Bitglass.  Bitglass is a global Cloud Access Security Broker (CASB) and agentless mobile security company based in Silicon Valley. The company’s solutions enable real-time end-to-end data protection, from the cloud to the device.

Jacob Serpa, Product Marketing Manager at Bitglass

We asked Jacob to introduce you, our readers, to Bitglass.  Here’s what he had to say, “At Bitglass we are a Cloud Access Security Broker (CASB) and so you can think of us as a security and control point for data flowing to the cloud.  What we’re really committed to is ensuring comprehensive cybersecurity for any app or any device, anywhere.  As organizations move to the cloud and enable Bring Your Own Device (BYOD) and have employees using their personal phones for performing their work, it really changes how you have to approach cybersecurity in the enterprise and how you protect your data as it moves off premises.”

“We like to talk in terms of our four core pillars of; data protection, threat protection, visibility, and identity.”  Each of these is a critical component of what Bitglass brings to an organization’s overall security posture. 

Bitglass has been around since 2013.  Jacob said, “We’re a relatively new company in a relatively new industry, but we’re quickly maturing.  These are exciting times.”

The basics and how does cryptojacking differ from other attacks

For those who may be unfamiliar with cryptojacking, we asked Jacob to describe the basics and how it differs from other cyber threats.  He told us, “Cryptojacking is basically the unauthorized use of an organization’s computing resources whereby some malicious third party is going to mine cryptocurrency.  The reason that this is so appealing to hackers is that cryptocurrency has really exploded in terms of value. It’s pretty lucrative. The way that it functions is a little bit different from traditional attacks.  With things like ransomware, individual or company devices get infected by a threat and it locks everything down, blocking access to data until a ransom is paid.  You don’t get to access your system again. Some people will pay. Some people will have backups, fortunately, but a lot of people are left with no choice but to pay the ransom.

With that, and with other traditional malware threats, it’s a one and done attack.  The device is infected, and either a ransom is paid or the infection is fixed, and both the attacker and victim move on.  The way that I think of cryptojacking – to borrow a way of thinking from biology – is the parasite wants to keep its host alive.  It’s more useful to it that way. In cryptojacking, you have these devices being misused in a more subtle way where it allows the hacker to make money slowly, over time rather than one large payout. And so in that way it’s a bit more sustainable, it’s a bit more secretive, and it’s less obvious and harder to detect.”

How cryptojacking has evolved or changed over time

Our discussion turned to how cryptojacking has changed over time.  Jacob explained, “There are a couple of things that are happening right now in cryptojacking that are very interesting. Cryptojacking traditionally has been very device-centric.  Mining for cryptocurrency takes a lot of compute power. Just doing it on one device won’t necessarily get you a whole lot of cryptocurrency. The goal for hackers is to infect as many of these devices as they can to build a more lucrative underworld business.

They’re looking for ways to disseminate that threat.  Sometimes that’s through malware, other times it’s in a browser.  A victim doesn’t necessarily even have to open a bad attachment or download a bad file to their system, they may have simply visited a malicious website and now this thing is running in their browser.  Fortunately, some of those can be blocked with adblocker and those kinds of technologies, some of which even have the ability to detect cryptocurrency mining scripts that might run maliciously and automatically on your browser.  But one thing that I’ve seen over the last year in cybersecurity is the continued evolution of threats and the way that these things are leveraged by hackers and in new ways. They’re growing more advanced, and more sophisticated. They can even be adaptive in some cases, and they’re looking for the best way to deliver infections and make money. It’s really fascinating, but frightening at the same time.

What has really exploded on the scene is cloud cryptojacking.  With cloud cryptojacking we’re not talking about an individual user’s device but rather an entire enterprise’s compute power and infrastructure.  You now have cryptojacking infecting entire enterprises so the bad guy is automatically getting that scale that they need to make money.  The way that they’re doing this is very deliberate; very cautious because they want to keep things secretive. They’ll intentionally decrease how much compute power they’re using so that it isn’t seen as a massive spike in activity and sound the alarm for the company.”

How to defend against cryptojacking

The obvious question is then, how can cryptojacking be detected and mitigated?  Jacob told us, “There are a couple of routes to try and defend against it and then a couple that you can take to try and monitor for it.  From a defensive perspective, having the latest anti-malware software on all your devices is important. It’s also important to have cloud anti-malware where you can detect threats as they’re uploaded to cloud apps or downloaded from the cloud to users’ devices, or as they’re sitting at rest inside your cloud services. This kind of continuous monitoring is critical, and behavior-based protection is even better.  Solutions leveraging behavior-based protection look for the potential behaviors of certain attachments or certain files to determine if it behaves like a threat.  It typically checks a variety of characteristics and then from there can confidently say, yes, this is malware or no this is safe, let’s just let it continue to be uploaded or downloaded. That’s one way to prevent it ahead of time.  

But once your cloud has been cryptojacked the hackers are being very cunning, so typically what happens is there is some kind of credential theft that happens.  An administrator username and password gets stolen, as an example. What you want to look for, if you can’t see spikes in usage, is unusual user behavior or unusual logins.  Something that can be helpful with that is User and Entity Behavior Analytics (UEBA). What that can do is help you to see who’s signing in, where, what they’re up to, and their activity. And then it can help you identify that strange activity that is going on.

Another preventative thing that you would want to use is Multifactor Authentication (MFA).  You want to have visibility into what’s happening in your user’s accounts to quickly identify unusual activity such as sudden spin-ups of numerous VMs. But leveraging MFA can help you get ahead of that.  User passwords aren’t necessarily the best way to have them authenticate anymore. They’re necessary, but they’re not sufficient.”

How does Bitglass address cryptojacking?

Finally, we asked Jacob to talk about Bitglass and how they address cryptojacking.  He explained, “The CASB space is one that has grown very quickly and is a specialized solution that is made specifically for cloud data.  At Bitglass we go by the moniker of the Next-Gen CASB because what sets us apart is we’re always looking to automate and to employ machine learning wherever we can so that you get proactive security rather than reactive security.  There are a few examples of where we use machine learning. One of them is in shadow IT discovery, which refers to unsanctioned cloud apps that your employees are using. Our solution uses machine learning to constantly look for these new applications and evaluate relative to their risk.

Other competing CASBs still rely on manual classification and they just have teams of people who are looking for these things on the Internet all day, whereas once you have automation built in and you can detect these things on the fly, you can be much more confident that you have visibility at all times over where your data is going.  And then a second example has to do with the behavior-based type of protection that I discussed earlier. We have a technology partner in Cylance and their technologies are deployed in our solution. What that means is that as files are uploaded, downloaded, or at rest in the cloud, we’re scanning those with Cylance’s technology and determining-based on behavior—if it’s malware.

Those are a couple of quick examples.  CASB, and in particular Bitglass, is designed to secure data in the cloud, rather than just on premises.  And in Bitglass’ case, this is useful for a mobile BYOD workforce because traditional security solutions for on premies and managed devices don’t necessarily work in the cloud.”

By: Steven Bowcut, CPP, PSP, Editor-in-Chief for Brilliance Security Magazine