How to Defend Servers Against Cryptojacking

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  

Cryptojacking has become one of the most active and pervasive threats in recent years. In a cryptojacking attack, a cryptocurrency mining script is injected into a server or a webpage to take advantage of the victim system's CPU power.

The first article in this series defined cryptojacking and why it is a cybersecurity risk. In this article, we'll outline how organizations can defend themselves from cryptojacking and take proactive steps to reducee the risk of becoming an unwitting accomplice to a cryptojacking attack.

Types of cryptojacking attacks

There are generally two types of cryptojacking attack methods, server-based and in-browser based.

With the in-browser approach, the cryptojacker injects a line of JavaScript, which then mines cryptocurrency on web browsers. The server method runs mining code directly on server infrastructure.

From the server side, both methods involve an attacker getting code to run on a server in order to run cryptocurrency mining code and both methods can benefit from the mitigation approaches outlined in this article.

Protecting server credentials

It might seem painfully obvious that server access should be properly protected with hardened credentials, but unfortunately that's not always the case.

A report from F5 networks released in January found that hackers were able to get cryptocurrency mining code onto servers via SSH. All the attackers were doing was executing a brute-force attack in an attempt to guess the SSH password.

A common best practice for securing servers against brute force attacks is to make use of an encrypted SSH key pair instead of a password.

It's also critically important to have access control protection for any server assets in general. Electric automobile maker Tesla left its Kubernetes cloud container servers wide open, according to a February 2018 report from security firm RedLock. As a result, attackers were able to easily access and install cryptocurrency miners that ran on Tesla's Kubernetes containers.

So don't leave your servers or cloud instances open, as someone will find them and put them to work as cryptocurrency miners.

Patch for known vulnerabilities

Application patching is another area of basic IT hygiene that has sometimes been overlooked as a cryptojacking attack vector.

In January, ISC SANS reported that attackers were exploiting the Oracle WebLogic CVE-2017-10271 vulnerability that was patched in October 2017. According to ISC SANS, the cryptojackers were able to mine approximately $250,000 in Monero cryptocurrency by exploiting the unpatched servers.

Scanning for known vulnerabilities across the internet is a trivial exercise for attackers. So keep your server applications up-to-date and patched to avoid any nasty surprises.

Scan your network

Even with proper patching and server access hardening, cryptocurrency mining code could potentially still slip through. A user could simply click yes to install something that has a cryptocurrency miner hidden as a secondary download that isn't caught by anti-virus technologies, for example.

Proper scanning and visibility into what is running on servers and across a network is a critical ability to help detect potential cryptojacking attacks. Cryptocurrency mining software is resource intensive, so any CPU processes that are not recognized that are consuming inordinate amounts of resources should be investigated.

Cryptocurrency mining software is always tied to a mining pool. That is, each individual mining node will reach out to an external resource (the mining pool) to get new blocks and to validate blocks. Updating IPS/firewall rules to identify and block known mining pool IPs is another best practice for limiting of cryptojacking risk. See eSecurityPlanet's guide to the 8 top IDS/IPS systems for more information.

Limit third-party risk

Another route that attackers can take is to get in-browser cryptocurrency mining code injected into a site via third-party extensions or advertisements.

That's what happened earlier this month, when accessibility extension vendor Texthelp reported that its Browsealoud text-to-speech extension was compromised during a cyber attack. In that incident, the compromised Browsealoud extension was injected with a cryptocurrency miner, which was then subsequently running on over 4,000 sites around the world that had embedded the extension.

Scott Helme, the researcher who first publicly reported the Browsealoud extension hack, also made some suggestions for organizations in general to protect themselves against running unauthorized scripts that come from third-party resources.

To help prevent any authorized scripts from running on a website, organizations can make us of a protocol approach known as Content Security Policy (CSP). The original idea behind CSP was to help limit risk of Cross Site Scripting (XSS) attacks, but it also has applicability for any form of potential code injection. CSP is defined on the host webserver and can be further strengthened with the use of the Sub-Resource Integrity (SRI) attribute, which will help identify if a script has been modified.

End users

This article has been all about servers and how to help limit the risks of having an unauthorized cryptocurrency miner running. The other part of the cryptojacking landscape is end-user web browsers.

In the next installment of our series on cryptojacking, learn how to detect and block cryptojacking in-browser attacks.

Sean Michael Kerner is a senior editor at eSecurityPlanet and Follow him on Twitter @TechJournalist.


Loading Comments...