Full Report
Cryptojacking may be stealthy, but its impact is anything but. From inflated cloud bills to sluggish performance, it's a threat that companies can't ignore. Learn more from Pentera about how automated security validation can protect your org from these threats. [...]
Analysis Summary
# Tool/Technique: Cryptojacking (General Threat)
## Overview
Cryptojacking is the unauthorized use of a victim's computing resources (CPU, GPU, cloud infrastructure) to mine cryptocurrency (like Bitcoin or Monero) without the victim's consent. The primary goal is to steal processing power, resulting in performance degradation, increased cloud/energy costs, and hardware strain, often serving sometimes as a precursor to more severe security incidents.
## Technical Details
- Type: Technique/Threat Category
- Platform: Servers, Cloud Infrastructure (AWS, Azure), Containerized Environments (Docker), Endpoints (via web browsers).
- Capabilities: Unauthorized resource consumption for cryptocurrency mining.
- First Seen: Ongoing threat, surged significantly in 2023 (+659% according to the source).
## MITRE ATT&CK Mapping
As this is a general threat category rather than one specific tool, the mappings cover common initial access and execution vectors mentioned:
- **TA0001 - Initial Access**
- T1189 - Drive-by Compromise (Via compromised websites)
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Via malicious files/SVG)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Used in phishing campaigns)
- **TA0011 - Persistence** (Implied, as mining software needs to run continuously)
## Functionality
### Core Capabilities
- Draining CPU and GPU resources to perform complex cryptographic calculations for cryptocurrency mining.
- Generating significant, unexpected financial costs, particularly in cloud environments (costing approximately $53 for every $1 mined).
### Advanced Features
- Exploiting vulnerabilities in unpatched systems (e.g., Apache servers).
- Targeting modern infrastructure by embedding mining scripts in container images or exploiting insecurely configured resources like exposed Docker APIs (as seen in the Commando Cat campaign).
- Using obfuscated files (like SVG) to bypass initial inspection during phishing attacks.
## Indicators of Compromise
- File Hashes: [Not specified in the text]
- File Names: [Cryptomining scripts concealed within normal operations]
- Registry Keys: [Not specified in the text]
- Network Indicators: Unusual connections to cryptocurrency mining pools.
- Behavioral Indicators: Sudden, persistent, and excessive spikes in CPU/GPU utilization across hosts or cloud resources (VMs, containers). High energy consumption.
## Associated Threat Actors
- BianLian ransomware group (used drive-by downloads for spreading cryptomining scripts in 2023).
- Commando Cat campaign (2024, exploited exposed Docker APIs).
- TeamTNT group (Exploited exposed Docker daemons).
## Detection Methods
- Endpoint Protection: Monitoring for unusual spikes in resource consumption.
- Network Monitoring: Analyzing traffic patterns for connections to known mining pool addresses.
- Cloud Monitoring: Using tools like AWS CloudWatch or Azure Monitor to detect sudden jumps in CPU/GPU consumption on virtual machines or containers.
## Mitigation Strategies
- Employing robust, up-to-date Endpoint Security solutions for real-time monitoring.
- Implementing rigorous Network Monitoring to watch for connections to mining infrastructure.
- Configuring Cloud Monitoring tools to alert on abnormal resource utilization.
- **Continuous Security Validation:** Regularly testing defenses by safely emulating replicated cryptojacking malware/attacks to find and patch security gaps.
## Related Tools/Techniques
- General Malware/Exploits used for initial access (Vulnerability exploitation on Apache servers, compromised websites).
- LLMjacking (Mentioned in passing in one linked article context, although not detailed here).