Cisco Reveals the Economics of Crypto-Currency Mining Attacks

A detailed report from the Cisco Talos research team provides insights into the methods used by attackers to generate profits with unauthorized crypto-currency mining campaigns.

Monero XMRig

Unauthorized crypto-currency mining attacks, sometimes referred to as "cryptojacking" have become an all too common occurrence in recent months.  A report released on Jan. 31 by Cisco's Talos research group sheds some light on the tools and techniques used in crypto-currency mining attacks.

The report also reveals how profitable the top crypto-mining operations could be. Cisco Talos estimates in the report that the earnings from the top five Monero cryptocurrency mining campaigns could potentially total $1.18 million dollars over the course of a year.

The report focuses on attacker tools that aim to mine the Monero crypto-currency, that is also known by the notation XMR. New crypto-currency is created via a complex computational routine that is performed by participating computing systems, known as miners, that process code as part of a mining pool. However, mining Monero is possible on regular systems that only have a CPU and lack a GPU.

Individual miners make use of a "Worker ID" that helps to direct payment to a given crypto-currency wallet. Cisco Talos was able to track different Worker IDs to provide an estimate of the hashing capacity and potential profit that attackers are making from surreptitious crypto-currency mining that use other people's computers without compensation. The primary function that determines how much a crypto-currency miner will make is the hash rate. The average hash rate for the top five malicious Monero mining campaigns reported by Cisco Talos totalled 1.6 MH/s (mega hashes).

One of the campaigns that the Cisco Talos report details involved attackers exploiting a known Oracle WebLogic vulnerability identified as CVE-2017-10271 that was first patched by Oracle in October 2017. A report released on Jan. 8 by ISC SANS found that attackers were able to mine 611 XMR which was worth approximately $226,00 at the time, thanks to unpatched servers.

Cisco Talos' analysis found an attacker that was potentially able to mine 654 XMR by exploiting the CVE-2017-10271 vulnerability. The Oracle WebLogic based crypt-ocurrency mining attack pool had a hashing rate that ranged from 350 KH/s up to a high of 500 KH/s.

"The attack actually started in December 2017," Cisco Talos Threat Researcher, Nick Biasini told eWEEK. "In regards to the total payout to the wallet, it is possible that the Worker ID was established and mining was taking place independently of this specific attack."

Miner Delivery Methods

There are several different ways that an attacker can get an unauthorized crypto-currency miner working on a victim's system. Among the most common is tricking the user into downloading or executing a payload, that includes a version of the XMRig Monero mining software. Another method is to make use of JavaScript running inside of a web browser, which is how the Coinhive mining service works. There is also a hash rate differential between individual XMRig and Coinhive miners

"You will generate a much lower hash rate using something like Coinhive, but if you have millions of systems mining at a time it could generate the same or more revenue," Biasini said. "It also largely depends on how long each system is connected to the page that is performing Coinhive mining."

Calculating the typical hash rate for Coinhive, in-browser based mining operations is a difficult task. Biasini noted that some systems have more resources than others, which changes the hash rate. He added that there are many factors that must be considered like number of visitors to the page performing the in-browser mining and the duration of the visit to the page performing the in-browser mining. 

What Should Users Do?

There are multiple actions that can be taken to help limit the risk of unauthorized crypto-currency mining. For miners to operate successfully, they typically need to be part of a larger mining pool, which is where malicious mining could potentially be spotted and blocked.

"We did come across pools where the Worker IDs had been blocked due to the detection of botnet activity," Biasini said. For miners to operate successfully, they typically need to be part of a larger mining pool, which includes legitimate mining traffic. There is the potential for mining pool operators to identify and block the malicious mining activity.

For enterprises, there are also actions that can be taken to help reduce crypto-currency mining activities. Biasini suggests that organizations monitor or block access to the mining pool domains, which would allow organizations to detect repeated attempts to contact the pools from systems within their environments. 

"We have observed mining software reaching out to pools using specific ports, which could be monitored as well," Biasini said. "Additionally, monitoring for anomalous system resource usage would also provide early indication that systems are being used for mining."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.