Does China’s Crackdown Mean Curtains for Cryptojacking?
In a move that could affect the frequency with which IoT devices are cryptojacked, China has battened down on financial services linked to cryptocurrency trading.
The news has dampened the price gains from bitcoin’s bull run earlier this year, when it surged to a record high of $63,000 by April 13.
As of mid-June 2021, the world’s most traded digital currency slumped to just $34,700, down from $39,000 one month ago.
Cryptojacking involves criminals mining for virtual money by surreptitiously installing software on IT devices, having been granted permission.
Like many cyberbreaches, enterprise Internet of Things (IoT) is high risk given the prevalence of unmonitored endpoints, always-on devices and user interface-less machines.
“The situation hasn’t improved a whole lot [since the Mirai botnet in 2016],” said Brian Kime, a senior analyst at Forrester who covers security and risk, “IoT devices, especially consumer ones, tend to be unmanaged.
“In the enterprise, even though you often have manageable IoT, a lot of companies forget about it.”
“Devices like printers are notorious for being abused because they’re rarely being monitored and updated.”
Beijing Reloads Crypto Crackdown
In 2017 China’s cryptocurrency trading exchanges were banned, along with initial coin offerings that had also attracted cybercriminal activity.
However foreign crypto exchanges have been used as a workaround and Chinese buyers had been permitted to purchase and spend bitcoin.
Trade was ramping up again given bitcoin’s surge in value, which worried monetary policy-makers amid the rollout of China’s central bank-endorsed alternative: the digital yuan.
Following the announcement, tougher vigilance can be expected on all crypto-related services including account openings, trading and settlements.
In addition, regulated financial companies have been urged to refuse to cash out digital coins into yuan or foreign currency, according to Reuters.
What Is the Correlation With Cryptojacking?
Fundamentally the move can be expected to reduce cryptojacking as the price of bitcoin continues to plummet.
That’s what happened when Beijing initially clamped down on bitcoin trading in 2017, which coincided with the previous global bitcoin bull run.
On that occasion, bitcoin erased roughly 80% of its value from late 2017 through to the end of 2018. It was a true boom-to-bust story, which confirmed the currency’s reputation for volatility.
Cybersecurity pros hope the bust is repeated, as increasing numbers of machines have been jacked since the start of this year.
Malware is also more readily available – customizable packages can be purchased on the dark web, driving deployment onto clusters of connected devices.
It’s part of an ominous trend known as “cryptojacking-as-a-service” (CJaaS), said Tanner Johnson, principal analyst for data security at Omdia.
“I think there is an absolute relationship between the threat of cryptojacking devices and the response from the crypto markets themselves,” Johnson added, “CJaaS is a burgeoning opportunity within the larger crime-as-a-service market.”
“This is likely a big component behind much of the pushback against cryptocurrencies from various regional markets and government alike.”
Total user devices affected by cyberjacking malware rose to 200,045 in March 2021, compared with 187,746 in January, according to media reports, which cited computer virus and cybersecurity firm Kaspersky.
Unique modifications to miner’s code – malware alterations designed to access a new machine or cryptocurrency – rose by more than four-fold during the first quarter of this year, to 16,934.
What Causes Cryptojacking?
It’s the way in which cryptocoins are mined.
Cryptocurrencies such as bitcoin rely on a peer-to-peer digital transaction ledger known as a blockchain, where each transaction is recorded.
Machines use brute force levels of compute to crack the unique numeric signatures, before sending the new coin to its owner.
While ordinary PCs can run crypto mining software, it’s far quicker with dedicated processing capacity, such as a graphical processing unit (GPU.) or application-specific integrated circuits.
Crypto-driven hijackers have reduced overheads as they can hide on potentially dozens of existing machines illegally, without ever footing the electricity bill.
But they require bitcoin to be highly valued. When the value falls, they cede competitiveness to huge clusters of crypto mining computers in China, known as crypto farms.
But China’s renewed attack on bitcoin will shift the paradigm. Already, tech media outlets have reported lower Chinese sales of GPUs.
Other cryptocurrencies may catch on with cybercriminals as an alternative.
Currently bitcoin is the most-adopted cryptocurrency by those looking to transact with digital currency, and that makes bitcoin popular with organized criminals working at scale, Kime said.
But some cryptocurrencies – such as Monero and Zcash – retain the owner’s anonymity even as coin is exchanged through the blockchain ledger. These coins could simplify the process of hiding cash withdrawals for money launderers.
If criminals got behind some of Bitcoin’s rivals in more numbers, then cryptojacking levels might be steadier regardless of bitcoin’s price, making the crime a more consistent threat.
“For the attackers, mining certain cryptocurrencies such as bitcoin on IoT devices becomes challenging since these devices usually do not have the compute power to support the complex hardware requirements for mining,” said Dr. Pranshu Bajpai, Ph.D., a security researcher commenting as an independent field expert, “However, an army of compromised IoT devices along with newer, less compute-intensive cryptocurrencies promises cryptojackers the gains that they are seeking.”
Why Cryptojacking Will Affect the Future
IoT needs robust asset discovery and identification to prevent not just cryptojacking, but the entire spectrum of cyberbreaches, which thrive on accessing personal and enterprise IT networks.
It’s a lesson that should now be rooted into IoT’s development culture. Following the SolarWinds debacle in March, device producers must behave as though they’re custodians to every home, hospital and prison.
“We know that it can affect physical security in IT and marketing, as well as retail and industry, said Kime. “Devices are bought and plugged into the network, without CIO[s] or CISOs necessarily having any visibility into installations and purchases.”
Today, IT pros typically regard cryptojacking as a “medium-level concern,” compared with breaches like ransomware, Kime added.
“But as we improve ransomware and get better at detecting and reducing the impact, then criminals will shift.”
Spotting the telltale signs is one of the unique challenges with cryptojacking. The software doesn’t announce itself like ransomware, but it can nevertheless exhaust above 70% to 80% of processor capacity.
“Because [cryptojacking malware] uses a lot of resources – for one it’s noisy – that’s sometimes how you can identify a breach,” Kime said.
“The system might be lagging, because all of the CPU cycles [in the IoT device] are used for mining. It can also deny services in software that are required for websites, which is another sign for defenders to detect.”
The smart cryptojacker will target stealthy execution, Bajpai added.
“If the cryptojacking attack is well planned and executed, attackers can remain below the radar by limiting the noise. For instance, instead of mining at 100% [processing] capacity, [they can] mine at a lower rate to go by undetected,” he said.
“If the threat has already materialized, then we can assume any implemented defences were evaded and it will be very difficult for even the IT pros to identify until a security tool [receives updates to recognize cryptojacking] or an [IoT] user notices abnormal behavior such as degraded performance.”
Kime’s recommended policy is to keep the cryptojackers at bay even if their software does make it onto an endpoint.
He said zero-trust strategies would help achieve this, by preventing infected devices from communicating with the sender.
Also vital is limiting IP addresses and domain ranges that IoT endpoints utilize, so that all unnecessary networking is blocked.
“Limiting IP addresses and domain ranges is also crucial,” he concluded, “If the device gets compromised, then it will never communicate with threat’s infrastructure, [or potentially] the breach would have been prevented in the first place.”