Don’t let the ongoing “crypto winter” lull you into a false sense of cyber security. Even as cryptocurrencies lose value—and some crypto companies file for bankruptcy—cryptojacking remains an acute threat to businesses across industries, from financial services to healthcare to Industry 4.0 and beyond.
Roughly speaking, cryptojacking is defined as the unauthorized and illegitimate use of an unwitting party’s computer and/or server power by a malicious actor to mine cryptocurrencies. While anyone with an Internet connection is technically vulnerable to cryptojacking, most attacks target businesses with significant computing resources, especially those with a large number of third-party relationships. (More on that last part in a bit.) And if a malicious actor can breach your cybersecurity defenses for cryptojacking purposes, they can breach them for any number of nefarious reasons.
Under normal conditions, cryptocurrency mining is hugely expensive because it requires huge electricity and sophisticated hardware. Cryptojacking reduces costs for malicious actors, so what they manage to mine turns into pure profit.
For legitimate owners of cryptocurrency, the losses associated with “crypto winter” have been catastrophic. But for cryptojackers, “crypto winter” just means a little less free money than before. The margins are still huge and the incentives haven’t changed. Malicious actors still need access to capital that is largely untraceable – so even in the middle of the crash, cryptocurrencies are still an important asset for them. In other words, don’t expect cryptojacking attacks to slow down anytime soon.
Who is vulnerable to cryptojacking – and why?
The short answer: everyone. The slightly longer answer: companies that are particularly dependent on third parties for their core business. When a bad actor tries to breach your cybersecurity defenses—be it a member of a ransomware gang or a cryptojacker (which sometimes comes in the same form)—they’ll always be looking for your weakest link. Often the weakest link is the trust you have placed in a third party, or several third parties.
Not surprisingly, these third parties may also have third parties that they trust, but with whom you have no direct relationship. Because so many businesses are built on these interconnected networks of trust—and sometimes labyrinthine third-party relationship dynamics—weak points tend to spill over, making it easier for a cryptojacker to breach your cybersecurity defenses.
A real-life example of the potential threat third-party relationships pose to corporate security
Fully 70 percent of financial firms that experienced data breaches reported that their particular breach was caused by giving too much privileged access to third-party users. In these cases, more than half did not investigate the security and privacy practices of third parties before doing business with them. Alarmingly, 46 percent do not have an active and comprehensive overview of every third party they have given access to privileged information. It’s hard to know who your enemy is when you don’t even know who your partners are.
Are there steps you can take to avoid getting cryptojacked?
Absolutely. It’s always a good idea—and never a bad time—to conduct a risk assessment to determine your company’s vulnerabilities, especially its weakest link. Again, odds are it will be a third party relationship. From there, you can deploy endpoint protection to detect whether a cryptominer is running on an individual or server endpoint, which will help mediate the problem. (Of course, it’s always better to catch these problems for being infiltrated. But better late than never!)
Companies can also approach third-party relationships with a functional zero trust policy, which includes strong identity verification; extreme password and secret management; and grant privileged access to explicitly authorized users. In addition to zero trust, companies can implement systems that only allow users to access systems when they absolutely need that access. This eliminates rule creep and permission creep, ensuring that everyone only has access to what they need and nothing more.
Cryptojacking and other Web 3 attacks aren’t going away anytime soon – but that doesn’t mean your business is defenseless either.
Note – This article was written and contributed by Joel Burleson-Davis, SVP Worldwide Engineering, Cyber at Imprivata.
