Inadvertently Making Cybercriminals Rich

Abstract

Cryptojacking, a phenomenon also known as drive-by cryptomining, involves stealing computing power from others to be used in illicit cryptomining. While first observed as host-based infections with low activity, the release of an efficient browser-based cryptomining application -- as introduced by Coinhive in 2017 -- has skyrocketed cryptojacking activity in recent years. This novel method of monetizing Web activity attracted both website owners and cybercriminals seeking new methods to profit from. Website owners installed a cryptominer on their domains, while cybercriminals deployed cryptominers in large campaigns spread over numerous domains. Several studies developed detection methods to identify these browser-based cryptominers on websites, but none of these studies focused on the extent and coordination of campaigns deployed by adversaries. Furthermore, the prevalence of cryptojacking on websites is not well estimated yet and the potentially largest attack vector -- a man-in-the-middle attack -- has never been researched before.
In this thesis, we perform multiple large studies on cryptojacking to fill these gaps. After crawling a random sample of 49M domains, 20% of the Internet, we conclude that cryptojacking is present on 0.011% of all domains and that adult content is the most prevalent category of websites affected. We show that this percentage is significantly larger in the popular part of the Internet. This led to the conclusion that surveying solely domains listed in the Alexa Top 1M to estimate cryptojacking prevalence results in an overestimation of the problem. Furthermore, we show that infection rates on different Top Level Domains (TLDs) differ widely, as the Russian zone is home to a disproportionate number of cryptojacking domains, while other large TLDs -- such as .com -- show a significantly lower number of infections.
In another crawl, we have identified 204 cryptojacking campaigns on websites, an order of magnitude more than previous work, which indicates that the extent of these campaigns is heavily underestimated. The results of the two crawls combined reveal that 48% of all cryptojacking activity on websites is organized. The identified campaigns ranged in sizes from only 5 to 987 websites and we discovered that cybercriminals have chosen third-party software -- such as WordPress and Drupal -- as their method of choice for spreading cryptojacking infections efficiently. With a novel method of using NetFlow data recorded in a Tier 1 network, we estimated the popularity of mining applications, which showed that while Coinhive has a larger installed base, CoinImp WebSocket proxies were digesting significantly more traffic in the second half of 2018.
We have reported about a new attack vector that drastically overshadows all other cryptojacking activity. Through a firmware vulnerability in MikroTik routers, cybercriminals are able to rewrite outgoing user traffic and embed cryptomining code in every outgoing Web connection. Thus, every Web page visited by any user behind an infected router would mine to profit the adversaries. Based on the aforementioned NetFlow data, weekly third-party crawls and network telescope traffic, we were able to follow their activities over a period of 10 months. We report on the modus operandi and coordinating infrastructure of the perpetrators, which were during this period in control of up to 1.4M routers, which is approximately 70% of all MikroTik devices deployed in the world. During the peak of this attack, more than 440K routers were infected concurrently.
We have discovered that half of the infected routers are patched within 18 days after compromise, but 30% of the infections last longer than 50 days. Additionally, we observed different levels of sophistication among adversaries, ranging from individual installations to campaigns involving large numbers of routers. The combination of datasets allowed us to link tens of seemingly different infections to one actor.
Our analysis of cryptojacking with a focus on organized campaigns has shown that cybercriminals have successfully discovered a new method for monetary gain. With the discontinuation of Coinhive due to decreased Monero prices in March 2019, the cryptojacking landscape has changed enormously, and we are curious who will fill this power vacuum. As browser-based mining is not anywhere near as profitable as it was in early 2018, we believe that singular cryptojacking activity -- by individual website owners -- will decrease. However, we expect adversaries to find possibilities of deploying cryptojacking at an even larger scale to still be profitable. This stresses the importance of researching campaigns, as the reuse of techniques, tactics and procedures in deploying them provides an effective angle to detect and mitigate these malicious activities. With prices decreasing throughout 2018, one would expect that this problem will eventually solve itself. Apart from the discontinuation of Coinhive, there is no clear indication that this is the case, as Monero prices have started to recover in the first months of 2019. If this trend continues, we expect to experience another outbreak of large cryptojacking campaigns, as robust defenses are still not widely implemented.