Cryptojacking gained prominence in 2017 when browser-based mining made the exploitation of systems to produce cryptocurrency without the permission of users possible. Ever since, cloud-native environments have had to be on guard against this threat. But cryptojacking can be an overlooked threat. It’s not a risky unknown, like a Zero Day threat. And it’s often easier to focus on known vulnerabilities, like CVEs, rather than the attacks that may stem from these vulnerabilities. But there’s plenty that teams can do to prevent and identify cryptojacking. We’re breaking it down.
What is Cryptojacking?
Cryptojacking is the illegal use of another party’s computing power to mine cryptocurrency — an encrypted, decentralized digital currency used in internet-based transactions.
Cryptocurrencies operate using a digital ledger enforced by a network of computers (or nodes) and are often undergirded by the “real value” of the energy used to create them (for instance, in “Proof of Work” currencies like Bitcoin). That makes mining the coins a resource-intensive process that many seek to bypass.
There’s not just one way to exploit vulnerabilities in software to carry out a cryptojacking attack. Cryptojackers can:
- Exploit unpatched software vulnerabilities, injecting cryptomining malware or scripts
- Engage in phishing attacks to entice users to download malware
- Deploy malware on a website or in ads that visitors download automatically
- Injecting compromised scripts into 3rd-party scripts, libraries, and software dependencies
- Exploiting misconfigurations, like default credentials on virtual machines (VMs)
- Exploiting public WiFi to attack devices on open networks
Unlike ransomware or data theft, cryptojacking prioritizes stealth, aiming to evade detection while siphoning resources. Nevertheless, teams may suspect they have a cryptojacking issue when they see the following symptoms:
Slower System Performance
This can refer to individual devices, but also enterprise workstations, mission-critical application runtimes, servers, virtual machines (VMs), Kubernetes clusters, or edge computing networks.
Identifying that slowdowns are happening is a core security process beyond just spotting cryptoacking. It helps discover one node of VM that’s overburdened while others are underutilized and point to misconfigured workloads like incorrect resource requests or limits in Kubernetes slowing systems.
Increased Energy Consumption
A rise in the power consumed by computing systems and devices, often beyond levels expected for typical workloads, can also be a sign of security risks beyond cryptoacking, since it can result from misconfigurations like over-provisioning, incorrect thresholds or conditions in auto-scaling, orphaned resources, or runaway scripting.
Overheating Devices
Overheating results from sustained or excessive workloads and can stem from legitimate usage patterns, like running resource-intensive applications) and security issues like denial-of-service (DoS) attacks, cryptojacking, or misconfigurations. Overburdened devices are warm to the touch, and the overburden can lead to premature failure if left unchecked. Teams can spot a problem in progress by monitoring data transfer speeds and compute usage.
Higher Cloud or Energy Bills
Unexpected spikes in cloud service charges due to increased use of storage, compute, or bandwidth can all indicate crypojacking. But as with all energy use anomalies, it can also result from other security issues, from runaway processes to misconfigurations and data exfiltration. In that way, monitoring for cryptojacking by monitoring power use, and setting energy baselines, is simply part of a broader security strategy likely already in play across organizations.
While cryptojacking may not appear immediately or be as critically damaging as attacks on an organization’s data, it’s a significant drain for companies.
According to the U.S. Energy Information Administration, crypto mining represents .5 to 2% of energy consumption in the U.S.
Clouds add new instances to handle extra loads, cloud services rise uncontrolled, and daily costs add up to hundreds or thousands of dollars per month. Ultimately, the appeal of cryptojacking lies in the significance of these costs, which spur attackers to utilize others’ resources rather than their own. Further, slow networks and devices hinder daily operations, which comes with its own costs in productivity loss.
Cryptojacking presents a growing risk, with attacks up 657% year-over-year in 2023. Today, teams need to understand the types of attacks and prioritize them alongside their broader security strategies to stay ahead of attackers and secure their own systems from this resource drain.
Runtime and Container Scanning to Detect Cryptojacking with Upwind
Upwind offers runtime-powered container scanning features that help you identify cryptojacking with real-time threat detection, contextualized analysis, remediation, and root cause analysis that’s 10X faster than traditional methods.
Types of Cryptojacking Attacks
Cryptojacking takes many forms, each exploiting different vulnerabilities and attack surfaces to hijack computing resources for unauthorized cryptocurrency mining. This table highlights the key characteristics of the most common types of attacks, each requiring its own defensive approach.
| Type | How it Works | Targets | Impact |
| Browser-Based | Malicious JavaScript executed in users’ browsers | User devices | Slower browsing, high CPU usage, overheating |
| File-Based | Malware installed via phishing or downloads mines cryptocurrency | Personal devices, servers | Sustained high resource usage, overheating, hardware damage |
| Cloud Cryptojacking | Exploiting misconfigured cloud environments to run mining workloads | Virtual machines, Kubernetes clusters | Increased cloud bills, degraded legitimate workload performance |
| Insider Cryptojacking | Employees mine cryptocurrency using organizational resources | Corporate servers, data centers | High energy costs, trust issues, and compliance risks |
| IoT Cryptojacking | IoT devices hijacked for distributed mining | Smart devices (e.g., cameras, routers) | Device wear, network congestion, shortened device lifespan |
Browser-based cryptojacking is common since it relies on simple Javascript code executed in users’ browsers. Many attacks operate in the browser without installing additional code on machines. That slows employee devices while scripts run.
To counter browser attacks, organizations can deploy tools like runtime protection and browser-based filtering extensions that block suspicious scripts in real time. Ad blockers with cryptojacking-specific filters can also help eliminate risks for organizations with a decentralized workforce.
In environments with heavy web usage (e.g., marketing, journalism, or customer support), Cloud Detection and Response (CDR) tools function to identify traffic patterns consistent with cryptojacking, like persistent CPU spikes or connections to known mining pool domains. Threat intelligence, network traffic analysis, behavioral baselines, and runtime security all play a part.
File-based cryptojacking, which relies on malware delivered through phishing or downloads, needs strong endpoint defenses. Endpoint Detection and Response (EDR) tools are the best bets here for spotting and halting unauthorized file executions. Runtime monitoring adds an additional layer of protection since it identifies abnormal behaviors, including prolonged resource use.
Cloud cryptojacking is one of the most impactful types of attack, leveraging the scale of cloud resources to mine cryptocurrency at a significant cost. Cloud Security Posture Management (CSPM) tools are a first-line defense in prevention; they identify and remediate misconfigurations, including overly permissive identity and access management (IAM) roles and exposed APIs.
But when it comes to detection, CDR tools should be configured to monitor runtime activity and flag any workloads that deviate from expected behavior, such as sustained high compute usage without corresponding traffic justification. Teams should also monitor for sudden billing anomalies, particularly if they work in dynamic cloud environments, deploying auto-scaling or containerized workloads.
Insider cryptojacking poses unique challenges because it exploits legitimate access. However, this type of attack is detectable with behavioral analytics tools that monitor for deviations in resource usage by employees or contractors. For example, an unusually high CPU utilization in non-critical systems during off-hours could indicate unauthorized mining and might raise the alarm where it would otherwise go undetected.
Finally, IoT cryptojacking leverages the weaker security profiles of connected devices, such as smart cameras or routers. Preventive measures work well here: regularly update firmware and enforce strong, unique passwords for all devices. Use lightweight runtime sensors like eBPF to monitor resource utilization and detect anomalous activity indicative of mining, like devices sending unusual network traffic.
Overall, cryptojacking prevention means utilizing different tools and strategies based on the type of attack. Browser-based attacks demand runtime and browser-level protections, while file-based threats require endpoint defenses, and cloud cryptojacking needs strong posture management. The differences spur many organizations to deploy comprehensive solutions, like CNAPPs, to offer visibility across posture, runtimes, and networks, handling resources across the multi-cloud to hybrid environments and on-prem infrastructure.
How do Existing Tools Identify True Threats?
A deeper question isn’t, “Which tools can I use?” but whether those tools can truly differentiate cryptojacking from legitimate high-resource workloads. As a group, CNAPPs are typically better able to monitor cloud-native and containerized environments for cryptojacking with runtime visibility.
Here’s what the identification process looks like for a runtime-powered CNAPP that can correlate runtime insights with real-time traffic and behavioral data.
- Resource Usage Analysis: CNAPPs track resource consumption across cloud workloads. They flag anomalies like unexpected CPU/GPU spikes in environments with typically low resource demands.
- Workload Context: CNAPPs provide insights into the application’s runtime behavior, so it’s easier to distinguish legitimate workloads from cryptojacking. CNAPPs correlate information like container configurations and reconcile processes expected to run in the workload, like database queries.
- Threat Correlation: CNAPPs correlate runtime resource spikes with known cryptojacking behaviors, including outbound connections to mining pools or the deployment of unauthorized containers.
- Cloud-Specific Insights: CNAPPs leverage cloud-native telemetry to detect misconfigurations or unusual activity, such as new compute instances provisioned by unauthorized scripts.
CNAPPs represent a leap forward in detecting true workload needs from cryptojacking, but they’re not a silver bullet. If cryptojacking script mimics legitimate workloads or piggybacks on resource-intensive operations, even CNAPPs may require manual investigation to differentiate.
In the end, teams get a boost from correlated data. If not from a CNAPP, they might also consider stand-alone solutions that:
- Integrate multiple tools, like EDR and CNAPP, to monitor endpoints and cloud workloads
- Leverage threat intelligence and keep tools updated so the newest information, cryptojacking signatures, and malicious behavior patterns are detected.
- Employ behavior analysis on workloads, reducing false positives
- Use runtime insights to link high-resource activities with specific processes, configurations, and users.
Upwind Safeguards Cloud Workloads from Cryptojacking
Leveraging runtime-powered container scanning and behavioral analysis, Upwind helps define normal behavior for workloads and identifies when resource use rises unexpectedly and misconfigurations are exposed to the internet, creating opportunities for cryptojackers. With integrated CDR capabilities, Upwind offers real-time visibility into anomalous processes, unauthorized workloads, and unusual traffic – all signs of cryptojacking attempts. And it contextualizes findings with root cause analysis so teams can trace and remediate vulnerabilities.
With Upwind, organizations can secure their systems against cryptojacking alongside their overall security posture. Schedule a demo to see how.
FAQ
How do crypto miners work?
Cryptocurrency miners perform mathematical computations to validate transactions and add them to a blockchain (the technology that powers cryptocurrency and its ledgers). Those computations are what’s called “mining.” By solving cryptographic puzzles, miners compete for the opportunity to create the next block in the blockchain. When a miner successfully completes a puzzle, they are rewarded with cryptocurrency.
Here are the steps:
- Transaction Verification: Miners verify and bundle pending transactions into a block.
- Puzzle Solving: They solve a computationally intensive cryptographic puzzle (Proof of Work), proving the block is valid.
- Block Addition: The first miner to solve the puzzle broadcasts the solution to the network, which validates it.
- Reward: The miner earns cryptocurrency for contributing to the system.
What is a crypto worm?
A crypto worm is malware designed to spread autonomously across networks while it installs cryptojacking scripts on infected devices. The goal of a crypto worm is to hijack computing resources for unauthorized cryptocurrency mining, often at scale.
Unlike traditional malware, a crypto worm can self-replicate, propagating without human interaction. It infects system vulnerabilities, deploys cryptojacking scripts, then scans for other vulnerable devices on the network and replicates itself to infect them.
Crypto worms connect to cryptocurrency mining pools to receive mining tasks and return results.
Which system vulnerabilities are most commonly exploited by crypto worms?
Crypto worms exploit vulnerabilities so they can spread across networks and deploy cryptojacking scripts. Here are some key examples of vulnerabilities:
- Unpatched Software: EternalBlue (SMB) and Log4Shell (Log4j) enabled worms to spread and execute mining scripts.
- Remote Code Execution (RCE): Vulnerabilities like Shellshock let attackers run cryptojacking payloads remotely.
- Misconfigured Cloud Resources: Publicly exposed VMs, weak IAM policies, and open APIs are common targets.
- Weak Credentials: Default or weak passwords in IoT devices and SSH services provide easy access.
- Open Ports: Unsecured ports, such as RDP or Docker APIs, can allow for unauthorized entry.
- Container Vulnerabilities: Misconfigured Kubernetes clusters or privileged containers can be exploited to deploy mining workloads.
Addressing vulnerabilities with proactive patching, proper configurations, and strong access controls can prevent crypto worm attacks before they happen.
