Recent campaigns show that cryptojackers remain a point of interest for cybercriminals, despite its popularity waning after crackdowns by law enforcement, fluctuating cryptocurrency values and the shutdown of Coinhive.
This week, Microsoft researchers said threat actors have been launching brute force credential attacks on misconfigured, internet-facing Linux and Internet of Things (IoT) devices in order to take control of the devices and install malware for mining cryptocurrency. And in May, Fortinet researchers found that threat actors were venturing into cryptojacking by deploying a RapperBot variant with cryptominer capabilities.
“Cryptojacking, the illicit use of computing resources to mine cryptocurrency, has become increasingly prevalent in recent years, with attackers building a cybercriminal economy around attack tools, infrastructure, and services to generate revenue from targeting a wide range of vulnerable systems, including Internet of Things (IoT) devices,” according to Microsoft researchers in a Thursday analysis.
Cryptojacking involves malware installed on devices, or small bits of code injected into browsers, that surreptitiously steal computer processing resources to mine cryptocurrency. This attack does not damage computers or victims’ data, though targets might notice lagging performance.
Aamir Lakhani, cybersecurity researcher and practitioner with Fortinet’s FortiGuard Labs, said that when it comes to cryptojacking, “there’s absolutely still money to be made, but it’s slower than other methods.” Now, she said attackers are refocusing their efforts away from PCs – which can block simple cryptojacking attacks through basic browser security extensions and security software – to target IoT devices, such as home routers, cameras and smart speakers.
“When attackers find large enough targets like IoT devices, cameras, and other (non-PC) devices, they will look for vulnerabilities they can use to start cryptojacking,” said Lakhani. “It is perfect for them because the devices continue to function and in the background they are mining. For example, if you have a camera, as long as you connect and see the camera is working, you’re not going to think anything of it and an attacker [can] continue cryptojacking uninterrupted.”
Microsoft researchers have also observed a similar shift in cryptojacking campaigns where cybercriminals move away from injecting malicious code into the browser and instead abuse legitimate binaries on victims’ machines in an effort to stay persistent. In August 2022, Microsoft said it has seen more than 500,000 machines with malicious cryptojackers on them.