Defeat Cryptojacking with Decryption and Inspection
Investors, early adopters, and tech-savvy consumers aren’t the only ones interested in cryptocurrency these days. Cybercriminals are now using ransomware-like tactics and poisoned websites to infiltrate company employees’ computers and secretly harness them for cryptocurrency mining—an exploit called cryptojacking. The implications of these attacks go beyond stolen processing power and undermined employee productivity. Simply by penetrating the target organization’s network, the hackers have shown a gaping vulnerability in its cyber defense capabilities. Designed to escape detection over time, the cryptojacking malware maintains a persistent presence in the company’s environment, posing an ongoing threat to its operations.
Defense against cryptojacking malware depends on many of the same tactics used for protection from ransomware and other malware—in particular, a Zero Trust security model. As with other types of threats, the effectiveness of Zero Trust depends on the organization’s ability to keep malware hidden in legitimate traffic from entering its network. This, in turn, hinges on SSL inspection, a process that can have its own negative impact on performance. To leverage Zero Trust as part of a cyber security strategy against cryptojacking or any other type of malware, companies need to be able to perform decryption, inspection, and re-encryption of network traffic at fast speeds and at enterprise scale, without incurring performance penalties or excessive complexity.
Zero Trust Model is Meaningless Without TLS Inspection
Without dedicated TLS inspection, the Zero Trust model is unable to protect our networks, users and data from threats residing inside and outside the network.
How Cryptojacking Works
The mechanism of cryptojacking is straightforward and simple. Hackers either trick an employee into clicking a malicious email link through a phishing attack, or infect a website or online ad with JavaScript code that executes automatically in the browser when it is visited. Either way, the infected payload is dropped onto the computer and the cryptomining code begins its work, using the victim’s computer to run the complex mathematical problems through which cryptocurrency is mined. In some cases, the cryptojacking software uses worming capabilities to infect other devices and servers on a network.
While attacks such as ransomware are designed to announce their presence and force a response from the victim, cryptojacking scripts keep a lower profile to evade detection. They are carefully calibrated to steal just enough CPU processing resources to do their work, possibly tying up help desk resources with troubleshooting and remediation attempts, without actually raising alarms of a cyber security breach.
A Growing Threat—and a Sign of Greater Vulnerability
While a ransomware or data exfiltration attack can have a more dramatic impact on an organization, cryptojacking can’t be taken lightly either. For one thing, a successful attack shows that hackers have successfully penetrated the company’s cyber security defenses, showing it to be equally vulnerable to other types of malware. Designed for continuous resource theft over time, cryptojacking software also allows cyber criminals to maintain an ongoing presence in the victim’s network, possibly paving the way for more serious damage as cybercriminal tactics continue to evolve.
Meanwhile, cryptojacking continues to prove popular among criminal organizations. As companies become better able to detect and mitigate the impact of ransomware attacks, and less likely to pay a ransom, cryptojacking offers a surer return on effort for hackers—especially given the relatively low-level technical skills required. In some cases, hackers simply re-tool delivery methods previously used for ransomware or adware to deliver cryptomining software to the unsuspecting target. In 2020, some 90 percent of all remote code execution attacks were linked to cryptomining, while cryptojacking has been found to be responsible for 4.32 percent of all Monero cryptocurrency in circulation. According to the European Union Agency for Cybersecurity (ENISA), cryptojacking rose 30 percent between March 2019 and March 2020. Docker, GitHub, and Kubernetes have all proven fertile ground for cryptomining malware.
Reducing Risk with Zero Trust and Traffic Monitoring
Keeping cryptojacking malware out of the network—along with ransomware and every other type of threat—depends on a multilayered cyber security strategy with Zero Trust at its core. As traditional concepts of secured zones, perimeters, and network segments disappear in the era of cloud computing, remote work, and the evolving enterprise architecture, organizations have to be able to protect against attacks from anyone, anywhere—even insiders with legitimate access. With Zero Trust, organizations “trust nobody,” inside or outside the network, and use micro-segments and micro-perimeters, restricted user privileges, multi-layered solution integration, and comprehensive visibility to prevent attacks and detect threats wherever they originate.
Network monitoring plays a central role in Zero Trust. Cryptojacking is relatively easy to detect in unencrypted network traffic, especially as endpoint protection and antivirus software vendors add cryptomining detection to their products. However, the vast majority of internet traffic is now encrypted with SSL/TLS, including over 90 percent of the traffic passing through Google services, with similar levels reported by other vendors. This makes SSL inspection a key element of cyber security against cryptojacking and other malware.
Why Zero Trust Depends on Centralized, Dedicated SSL Inspection
The Zero Trust model depends on full visibility into people and their activities. While widespread encryption has been a boon for data security and privacy, it has also had unintended consequences for cyber security, allowing hackers to hide malware in legitimate network traffic—rendering monitoring solutions and other elements of the network security stack ineffective.
Recognizing this problem, many security vendors have added SSL inspection to their solutions to enable decryption, inspection, and re-encryption of traffic as it enters and leaves the organization. But performing this function in a distributed manner, with separate decryption, inspection, and re-encryption processes, creates network bottlenecks and performance problems that can compromise service quality for business users and customers just as much as cryptojacking malware itself. Meanwhile, the need to deploy private keys in multiple locations across the multi-vendor, multi-device security infrastructure expands the attack surface, increasing risk.
A10 Networks enables organizations to avoid the downsides of distributed SSL inspection through a dedicated, centralized SSL decryption solution. By taking a “decrypt once, inspect many times” approach, A10 Networks Thunder® SSL Insight allows the entire security infrastructure to inspect all traffic in clear text, at fast speeds, without the performance penalties and excess complexity that come with traditional “decrypt once, inspect once.” With this integrated approach, every part of the security stack can do its job more effectively, while IT gains a simpler way to manage the infrastructure as a whole.
By taking a more practical, efficient approach to SSL inspection, organizations can better support the full range of Zero Trust principles, including:
- Performing SSL inspection in a way that allows every device to function in the best way possible
- Enabling comprehensive traffic monitoring and inspection throughout the network environment
- Applying the concept of least-privileged access for each user access decision
- Ensuring that policies are defined and enforced uniformly across the environment and organization
- Making sure that admins have complete visibility into all traffic across the network, informed by data analytics, as well as automation to ensure that systems work more efficiently.