The TTPs used in the IN and the THROUGH phases of the attack may have been indicative for the build-up of a ransomware attack. The way the attackers created persistency and escalated their user privileges is something we typically observe during ransomware investigations. On the other hand, there were no indications of the collection and exfiltration of (large amounts of) company-sensitive data. Exfiltration of this type of data would have been common for a ransomware attack. Nor did we find evidence of ransomware being delivered and installed. The discovery of the sysdaemon.exe binary led us towards the cryptojacking attack. This binary was used to download the XMRig cryptocurrency miner. Also, the PowerShell script found for deploying the miner was specifically intended for this deployment. Finally, we observed some of the miners already actively connecting to a mining pool and eating CPU power. This was the final piece of evidence that confirmed the attackers’ motive.

Why worry about cryptojacking?

As the attack showed, in the case of cryptojacking an attacker illicitly uses the victim’s (cloud) computing resources to mine cryptocurrencies to get the rewards without having to pay the computing fees. Cryptojacking requires the attacker to gain access to the victim’s infrastructure (on premise, or in the cloud) and acquire administrator rights, often by using compromised valid credentials. But, if no company-sensitive data is exfiltrated, and if systems are not being encrypted, why worry about cryptojacking?

First, because cryptojacking is on the rise, and it is moving to the cloud to increase scalability. Cryptojacking broke records in 2023 with more attempts recorded that year than in the entire period between 2018 and the end of 2022^[1]. And from our own observation, cryptojackers will misuse anything they can to create the desired computing power: from CPU’s to graphics processing units (GPU’s), to data processing pipelines, to caching tools, to spinning up their own virtual machines in your IT domain.

But cryptomining is only financially viable when it is done on a significant scale. And because not every network is as large as that of our client in this case, cybercriminals are shifting from infecting end-user machines to targeting cloud services. Recently, we investigated a case where a cryptojacker was spinning up a large number of virtual machines within the Azure subscription of a victim.

Second, because it will drain your CPU or GPU power. This may disrupt your business continuity. Above all, it will cost you money. The abuse of (cloud) computing resources causes financial loss to targeted organisations due to the increase of computing fees. An analysis in 2022 of TeamTNT, a cloud-targeting threat actor specialized in cryptojacking, revealed that for every $1 of Monero (XMR) mining profit by this group, its victims were billed $53^[2]. Cryptojackers prefer to mine Monero, which offers the highest CPU mining returns among cryptocurrencies and is harder to trace on the blockchain. More recently, Microsoft observed targeted organisations losing more than 300.000 euro in computing fees due to cryptojacking attacks^[3]. We even have encountered losses of up to 550.000 euro when responding to cryptojacking cases.

Finally, the fact that your network is being abused for cryptojacking means that an attacker has access to it. When mining cryptocurrencies isn’t viable anymore, the attacker (or other cybercriminals) can choose to change tactics and exploit your network and your data in other ways like ransomware or data theft.

What to do against it?

As is the case with all threats, the risk of cryptojacking attacks can be managed. Below we highlight some controls that once in place, will help to reduce both likelihood and impact.

• Fully implement and control baseline measures like multifactor authentication across all accounts, vulnerability management, update-management, network segmentation and cloud hardening. Keep these measures up to date.
• Assess the risk of cryptojacking for your organisation. Although cryptojacking attacks do not appear to be very targeted, networks with extensive computing resources or with unused Azure subscriptions may be more attractive to cryptojackers.
• Implement Endpoint Detection and Response (EDR) as a tool for identifying anomalous behaviour and breaches.
• Implement health monitoring of CPU usage, as well as cloud cost monitoring (including virtual machines and hypervisors). This would enable you to detect largescale, unusual high CPU usage in a timely manner. Be sure that the rules for these types of monitoring are being monitored themselves as well, so that no threat actor can alter them unnoticed.
• Manage and monitor core quota: Manage the ability for users to increase core quota in your Azure tenant and monitor for suspicious increases as well.
• Monitor and/or block network connections to mining pools. Connections to any mining pool should sound the alarm. Below, we have added a (not exhaustive) list of currently known pools that are frequently used by cryptojackers as indicators of compromise (IOC’s).
• Secure and separate domain administrator accounts. Not only should (global) domain administrator accounts be separated from normal user accounts. On-premise domain administrator accounts should be kept apart from cloud domain administrator accounts as well. Use multi factor authentication and conditional access management where possible and monitor access elevation. Make sure that local domain administrator accounts are not synced to Entra ID, and that Entra ID privileged accounts are cloud-only accounts. This will make it harder for an attacker to hop from your on-premise environment to your cloud domain.
• Create forensic readiness within your IT domain. This entails policy regarding the availability and analysability of data that is relevant for incident response and forensic investigation. For example, retain available network flow logs, deep visibility logs or MFA logs for an adequate period of time.

Conclusion

As our investigations shows, it is always worthwhile keeping different scenarios and hypotheses open when responding to an incident. Cybercriminals will keep looking for (new) ways to monetize entrance to any network.

Although there are indications that cryptojacking is increasing, we assess that from the criminal’s perspective, it is still much less profitable than cybercriminal extortion tactics like ransomware and data leaks. Also, the profitability of cryptojacking depends very much on the Bitcoin and altcoin exchange rates, which are very volatile. But then again: cryptojacking can have a significant financial impact on your organisation, while feeding the wallets of the cryptojackers.

[1] https://blog.sonicwall.com/en-us/2023/08/cryptojacking-continues-crushing-records/

[2] https://sysdig.com/press-releases/sysdig-threat-report-reveals-victims-lose-53-for-every-1-cryptojackers-gain/

[3] https://microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/