An Imperva study found that cryptojacking attacks are on the rise, with 88% of remote code execution (RCE) attacks sent a request to download cryptomining clients to infected machines.
Cryptojacking Through RCE Vulnerabilities
According to Imperva, RCE vulnerabilities are usually exploited by attackers in a manner that brings them the most money. Up until now, RCE flaws were used to enroll the infected machines to DDoS botnets and then offer that botnet as a “DDoS for hire” service.
However, in the past few months, attackers have been increasingly switching from building large botnets to infecting machines with cryptomining malware. They then make money from selling the generated cryptocurrency. This way, the attackers can eliminate the middlemen and see a faster return on investment.
Attackers prefer to use cryptocurrencies that use mining algorithms that can be solved by CPUs, such as Monero, or GPUs, such as Ethereum. Imperva also found the attackers used relatively new cryptocurrencies such as Electroneum, which could be mined more efficiently on mobile devices.
Bitcoin mining has been extremely inefficient on CPUs for years. These days, it can only be mined with specialized hardware, called application specific integrated circuit (ASIC), so attackers avoid using it in their cryptomining malware.
The cryptojackers would use up to 90% of a system’s resources in order to maximize their cryptocurrency gains. However, this should usually halt most of the other tasks on a computer or server, which would then alert the owners of the machines that something is wrong. In a recent cryptojacking attack against Tesla’s cloud infrastructure, the attackers preferred to stay under the radar and avoid detection.
Protection Against Cryptojacking
Imperva advised organizations to keep their software up to date in order to avoid most of the RCE attacks from cryptojackers. If there are no RCEs to be exploited, then cryptojackers' jobs become much more difficult.