- BY Ben Ball

Cryptojacking: How DNS Stops Cybercrime’s New Darling

Cryptojacking – the use of remote computing power to mine cryptocurrency – wasn’t always a threat. Just a few months ago, online news outlets openly declared their intention to use the computing power of site visitors to generate Bitcoin, Ethereum, Monero, and other cryptocurrencies as a way to replace lost ad revenue. The incentive is there too; given that Bitcoin mining generates about 12.5 BTC every 10 minutes, or over $80,000 at today’s value, that’s about $4.2bn a year.

Once this idea caught on with criminals, however, cryptojacking quickly morphed into a serious cybersecurity problem and has begun to overtake ransomware as the more attractive alternative. Ransomware dominated as the most prevalent threat over the past few years, but has declined recently in favor of cryptojacking. Ransomware also requires a victim that can afford to or is willing to pay to retrieve their files. With new tools to prevent ransomware or services to decrypt files, and the cost of backup storage decreasing, the success of a ransomware attack has started to become less likely. However, the profit potential with cryptojacking is greater and less likely to be discovered — victims generally just think their computer is running slower. There’s also a lot more simplicity on the cryptojacker’s end – it’s relatively easy for cybercriminals to embed javascript files in websites they compromise.

Now there are stories of entire networks slowing to a crawl as malware mines in the background, devices catching fire because their CPUs are overtaxed, and gaming software serving as a cover for cryptocurrency scams.

The Role of DNS in Cryptojacking

Most filters, firewalls, and ad blockers have been reprogrammed to stop common cryptomining malware and browser extensions like Coinhive. Unfortunately, this hasn’t done much to stop the spread of cryptomining on mobile and other IoT devices, many of which are easily compromised through hard-coded credentials and the use of unsecured public networks.

Finding and eliminating the source of cryptojacking can be difficult – it can be hiding just about anywhere on the network. Yet all cryptojacking attempts do have one thing in common: they have to communicate out.

DNS may be the most reliable way to detect and eliminate cryptojacking at an enterprise level. Filters, firewalls, and ad blockers can stop some communication with remote servers or identify malicious payloads, but often lack insight into the source IP and are unable to deal with infected IoT devices.

With a client-facing DNS security system like DNS Edge, cryptojacking can be easily traced to a source device in real-time and blocked until the device has been cleansed. Perhaps just as importantly, DNS Edge can monitor those devices after remediation to ensure that the malicious activity has stopped.

Mitigating Cryptojacking on a Customer Network

DNS Edge recently helped a BlueCat customer discover and remediate wide-scale cryptojacking on its network. After installing DNS Edge, the customer was able to quickly identify multiple DNS queries of sites associated with known crytojacking software such as Coinhive and Coinimp. The mining operations were highly coordinated and targeted, occurring largely at times of day where use of computing resources were low and the activity was less likely to be discovered.

The customer’s existing firewall settings were able to treat the symptoms of cryptojacking, but not eliminate the underlying problem. The firewall effectively blocked execution of the cryptomining results back to the remote server based on blacklists applied to payload data. Yet the firewall failed to block DNS-based command and control functions, and was unable to identify the source IP of infected devices. The clients were still infected and using up valuable computing resources, even if the results of that compute weren’t making it to the outside internet.

With the comprehensive client-facing logs produced by DNS Edge, the customer was able to quickly associate cryptojacking activity with individual devices and direct its remediation activity accordingly. With the security policy functions of DNS Edge, the customer will be able to disrupt the full range of communication between the cryptojacking software and remote servers.

Staying One Step Ahead

The presence of multiple layers of cryptojacking on the customer network suggests that this is an evolving threat in which malicious actors will use a variety of methods to infiltrate and exploit large networks. Thankfully, the ubiquitous nature of DNS and its central role in exfiltration of cryptomining data allows DNS Edge to quickly identify and mitigate against this growing threat.

Learn more about how to make DNS your first line of defense here.

Ben Ball

Ben Ball is a Government Market Manager at BlueCat, handling business development and marketing outreach in the Federal, State, and local government markets. Ben served for ten years as a Federal employee, with three tours as a Foreign Service Officer (Saudi Arabia, Turkey, Jordan), and five years at the Department of Homeland Security, where he focused on immigration issues. A graduate of the Fletcher School of Law and Diplomacy and Pitzer College, Ben lives in the San Francisco Bay Area.

View more articles by Ben Ball

Continue Reading