How cryptojacking came to be, what to watch out for, and how Citrix can help you avoid it like the plague!

Cryptojacking targets both endpoints and servers – both on-premises and in the cloud. The goal is the same: enslave a massive botnet of devices and harness CPU cycles to mine cryptocurrency with minimal cost or investment. I briefly introduced the concept in the previous Digital Vikings blog post and the threat has grown month after month, likely coinciding with the run-up in the crypto market. We’ll look at crypto mining and at some mitigations to prevent and detect digital parasites from leeching CPU cycles for months or even years, generating cash for its owners all the while.

Primitive infectious organisms kill their host, gaining a one-time benefit: replication. But the more advanced ones feed on their hosts. These biological parasites live in or on a host organism and siphon nutrients at the host’s expense. Their main function is to leech from the host, not destroy it. Similarly, in the digital world, parasites don’t delete, encrypt, or ransom data; they siphon off compute resources – preferably undetected. Compute resources are a valuable commodity in the world of crypto-mining. Crafty adversaries driven by the opportunity of financial gain are weaponizing crypto mining to exploit the digital currency boom. This stealthier malware phenomenon called cryptojacking is becoming a popular payload since it’s an effective way to generate revenue with a lower chance of detection. The goal is to run undetected – stealing CPU cycles – essentially becoming a digital parasite.

For example, Coinhive – a website-based crypto miner that has the slogan “Monetize Your Business With Your Users’ CPU Power” – has been discovered hijacking user connections in a café in Argentina and online video sites. A European water utility was also hit by crypto mining – critical ICS and SCADA systems. If those critical systems aren’t enough – how about Russian supercomputers used for simulating nuclear weapons designs? Not even regulatory agencies such as the UK’s ICO are spared. Finally, some websites are using crypto mining as an alternative to advertising banners and pop ups – this can be an opt-in approach at monetization that is interesting to see develop.

Digital Gold Rush

For context – let’s take a brief look at what mining means in terms of crypto. Cryptomining is an intensive process – consistently running mathematical calculations that keep processors at 100% usage. Professional miners make a large upfront investment in specialized hardware and infrastructure (hosting, cooling, etc.) Then there are recurring electricity costs, maintenance, and staff. It’s a substantial investment to get ROI and become profitable, but cryptojackers reap the reward of crypto mining by herding botnets of compromised machines, collectively stealing CPU cycles and leaving end users with reduced performance while inflating the cost of electricity, both on-premises and in the cloud where elastic resources are priced on usage.

In the earliest days of crypto, Bitcoin mining was done with CPUs from desktop computers. As more miners came online, the difficulty level adjusted so that running multiple graphics processing units (GPUs) became more effective at mining. Next came specialized chipsets or ASICs designed specifically for mining Bitcoin – these are getting smaller and more efficient. To increase the chances of payout, multiple miners join pools in which they are compensated based on their contribution of compute resources or hash power. For Bitcoin, mining using CPUs, GPUs, or even the older ASICs will never reach ROI – the cost of energy consumption is greater than the revenue generated. With exceptions, mining Bitcoin tends to be limited to larger operations where the cost of energy is low – hydro power or subsidized power are attractive – China, Sweden, Iceland and the State of Washington among others.

But a large number of “altcoins” running different protocols and with lower difficulty levels have grown in popularity. These include Ethereum and Monero, among hundreds of others. While some alts have unique utility or functionality, they mainly provide a more lucrative opportunity to profit from mining (and cryptojacking) as they can be traded for Bitcoin. Monero is a favorite among mining botnets, where a couple thousand compromised systems can mine several hundreds of thousands of dollars a year. It’s not all dark and gloomy, crypto mining is great learning opportunity as well. Case in point is our very own Steve Wilson who embarked on a business and technology project with his daughter. How many experiments teach about blockchain, operating efficiencies, and equipment depreciation?

Digital Parasites

Endpoints are targeted through the web browser – a telltale symptom is sluggishness, high CPU usage, and the whine of maxed-out RPM on the cooling fans. An example is a finding by independent security researcher William DeGroot, who “believes all of the 2,496 sites he tracked are running out-of-date software with known security vulnerabilities that have been exploited to give attackers control. Attackers, he said, then used their access to add code that surreptitiously harnesses the CPUs and electricity of visitors to generate the digital currency known as Monero.” Another variant is a “drive-by” cryptojacking – where a hidden and persistent popup hangs around even after closing the site.

Mobile devices and gadgets are also susceptible, even more so since the mining scripts can run in the background or are more difficult to identify. One example is the Android variant named ADB.Miner. It typically runs on rooted devices using the same scanning code as the Mirai botnet -using the same techniques to search for open and accessible devices. If successful, the malware proceeds to infect them and mine Monero while spreading to more devices. Mobile apps such as Minergate Mobile and dozens of others have been available since 2016 – downloadable right off the internet. Weaponized variants are typically installed on rooted or jailbroken devices or potentially on the hundreds of thousands of apps removed from the app stores.

Server-side attacks are the same as previous botnets – but retooled. Instead of pharma mail spam, ransomware, or DDoS attacks – the bots host apps like Minergate and Smominru. The apps run surreptitiously and regularly while checking in with the mining pool hosts in order to get new blocks and validate work. The payload may come in through via spam emails that contain attachments such as malicious Word documents. A common vector is RDP enabled internet facing servers with weak passwords and no multifactor authentication. Tools like Shodan clearly show how pervasive internet facing servers are. Tools that sniff all ports for RDP listeners – make quick work of security through obscurity of changing RDP ports. Using brute force dictionary attacks, it’s only a matter of time before simple passwords are cracked. Once they are in, expect that backdoor accounts and backup access methods are deployed. As with other attacks, server side cryptojacking can be more complex and more complicated once it spreads. If the attacker gets access to the infrastructure, he or she may provision additional servers – in cloud environments, expect to see new servers with high end specs and cost.

A more recent cryptojacking attack is WannaMine. As described by CrowdStrike: “WannaMine employs “living off the land” techniques such as Windows Management Instrumentation (WMI) permanent event subscriptions as a persistence mechanism. It also propagates via the EternalBlue exploit popularized by WannaCry. It’s fileless nature and use of legitimate system software such as WMI and PowerShell make it difficult, if not impossible, for organizations to block it without some form of next-generation antivirus.” As discussed in Martin Zugec’s blog post, blocking the EternalBlue exploit used to deliver the WannaCry ransomware and fileless attacks have been possible with Bitdefender HVI and Citrix XenServer since day one.

Back to the basics… but smarter

Defending against cryptojacking requires a holistic approach and building a security architecture with a secure digital perimeter. The approach must focus on prevention as well as detection. Citrix has partnered with multiple security companies that enhance endpoint, network, server, and cloud protection. Secure Web Gateway protects browsers by preventing access to malicious websites and malware – by integrating with NetStar to inspect the incoming payload and block as needed. Additionally, for exploit delivered payloads – integrations with Bitdefender provides Hypervisor Introspection for XenServer. For mobile endpoints, XenMobile’s integration with Symantec Endpoint Protection Mobile (formerly Skycure) is stopping the exploits before the payload is delivered.

XenMobile-Managed Devices

Managed devices benefit from XenMobile’s capability to detect rooted devices – taking a variety of action including notifying an admin, blocking apps, and selective wipe. If using MAM only, then MDX enabled apps like Secure Web can check and choose not to run. Additionally, Secure Web can be configured to block sites known to propagate malware allowing only Secure Web Domains (URL Whitelist).

Secure Browser and Secure Web Gateway

A longstanding Citrix recommendation for browsers published through XenApp is to disable scripting when feasible- javascript, flash, java, and other active content. For enterprises, delivering a locked down Secure Browser as a service can help reduce the attack surface by blocking the mining scripts as well as blocking the periodic callbacks to the mining pools – which are the command and control for crypto mining. Secure Web Gateway is the forward proxy to combine with XenApp’s Secure Browser and XenMobile’s Secure Web app.

Internet Accessible servers (RDP Proxy)

On the server and cloud side, the focus really needs to be on limiting exposure and guarding the administrator passwords, since software controls and whitelists will simply be bypassed once the attacker has administrator access. Complex passwords and multifactor authentication are fundamental, but often ignored for ease of use. This is reflected in the 2017 Verizon DBIR where “81% of hacking-related breaches leveraged either stolen and/or weak passwords.” To limit exposure – specifically for RDP – I recommend an RDP Gateway. This can be done with Citrix NetScaler Gateway, which is an RDP Proxy that adds not only multifactor authentication, but SmartAccess with end point analysis, as well. For example, the endpoint is scanned for a device certificate to demonstrate that it is a managed endpoint, assigning it a higher trust level. NetScaler MFA also has integration with Azure AD for hybrid deployments.

Analytics and Detection

A critical component is early detection -of CPU spikes above normal range – typically sustained. IT Operations should have defined CPU thresholds and analytics with alerts sent to admins when the CPU usage rises above the threshold. A couple of side notes here are that the alerts should disregard the process names – the digital parasite wants to remain undetected and can be disguised to be a system service or process. Secondly, more devious adversaries will tune down the CPU leeching to not stand out as dramatically – effectively flying under the radar. Establishing a baseline and identifying aberrations quickly is the goal.

Once detected – restoring the server to a golden image makes the process easier – local backdoor accounts, services, other changes can be undone. Special attention should be given if super user accounts have been compromised – in which case the attacker may bake in the malware to the golden image. For both on premises and cloud environments, a regular, automated and notification enabled inventory check is critical. It should look for unexpected machines – especially large ones with high number of CPUs.

Protecting against cryptojacking is very much the same as protecting against other malware – however, we are looking for different symptoms and long-term effects in hardware wear and tear, user performance degradation and loss of scalability. Higher costs in electricity or cloud usage are both more intermediate financial symptoms. Stay vigilant even if there are no demand notes or immediate indicators of compromise.

Further reading on Citrix Secure Browsing – powered by Citrix XenApp, Citrix XenServer Direct Inspect APIs and Bitdefender HVI.


Citrix TechBytes – Created by Citrix Experts, made for Citrix Technologists! Learn from passionate Citrix Experts and gain technical insights into the latest Citrix Technologies.

Click here for more TechBytes and subscribe.

Want specific TechBytes? Let us know! tech-content-feedback@citrix.com