International Cyber Expo International Cyber Expo
  • About Us
Monday, 13 July, 2026
IT Security Guru
International Cyber Expo
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

How cryptojacking came to be, what to watch out for, and how Citrix can help you avoid it like the plague!

by The Gurus
February 16, 2018
in This Week's Gurus
Share on FacebookShare on Twitter

Cryptojacking targets both endpoints and servers – both on-premises and in the cloud. The goal is the same: enslave a massive botnet of devices and harness CPU cycles to mine cryptocurrency with minimal cost or investment. I briefly introduced the concept in the previous Digital Vikings blog post and the threat has grown month after month, likely coinciding with the run-up in the crypto market. We’ll look at crypto mining and at some mitigations to prevent and detect digital parasites from leeching CPU cycles for months or even years, generating cash for its owners all the while.

 

Primitive infectious organisms kill their host, gaining a one-time benefit: replication. But the more advanced ones feed on their hosts. These biological parasites live in or on a host organism and siphon nutrients at the host’s expense. Their main function is to leech from the host, not destroy it. Similarly, in the digital world, parasites don’t delete, encrypt, or ransom data; they siphon off compute resources – preferably undetected. Compute resources are a valuable commodity in the world of crypto-mining. Crafty adversaries driven by the opportunity of financial gain are weaponizing crypto mining to exploit the digital currency boom. This stealthier malware phenomenon called cryptojacking is becoming a popular payload since it’s an effective way to generate revenue with a lower chance of detection. The goal is to run undetected – stealing CPU cycles – essentially becoming a digital parasite.

 

For example, Coinhive – a website-based crypto miner that has the slogan “Monetize Your Business With Your Users’ CPU Power” – has been discovered hijacking user connections in a café in Argentina and online video sites. A European water utility was also hit by crypto mining – critical ICS and SCADA systems. If those critical systems aren’t enough – how about Russian supercomputers used for simulating nuclear weapons designs? Not even regulatory agencies such as the UK’s ICO are spared. Finally, some websites are using crypto mining as an alternative to advertising banners and pop ups – this can be an opt-in approach at monetization that is interesting to see develop.

 

Digital Gold Rush

 

For context – let’s take a brief look at what mining means in terms of crypto. Cryptomining is an intensive process – consistently running mathematical calculations that keep processors at 100% usage. Professional miners make a large upfront investment in specialized hardware and infrastructure (hosting, cooling, etc.) Then there are recurring electricity costs, maintenance, and staff. It’s a substantial investment to get ROI and become profitable, but cryptojackers reap the reward of crypto mining by herding botnets of compromised machines, collectively stealing CPU cycles and leaving end users with reduced performance while inflating the cost of electricity, both on-premises and in the cloud where elastic resources are priced on usage.

 

In the earliest days of crypto, Bitcoin mining was done with CPUs from desktop computers. As more miners came online, the difficulty level adjusted so that running multiple graphics processing units (GPUs) became more effective at mining. Next came specialized chipsets or ASICs designed specifically for mining Bitcoin – these are getting smaller and more efficient. To increase the chances of payout, multiple miners join pools in which they are compensated based on their contribution of compute resources or hash power. For Bitcoin, mining using CPUs, GPUs, or even the older ASICs will never reach ROI – the cost of energy consumption is greater than the revenue generated. With exceptions, mining Bitcoin tends to be limited to larger operations where the cost of energy is low – hydro power or subsidized power are attractive – China, Sweden, Iceland and the State of Washington among others.

 

But a large number of “altcoins” running different protocols and with lower difficulty levels have grown in popularity. These include Ethereum and Monero, among hundreds of others. While some alts have unique utility or functionality, they mainly provide a more lucrative opportunity to profit from mining (and cryptojacking) as they can be traded for Bitcoin. Monero is a favorite among mining botnets, where a couple thousand compromised systems can mine several hundreds of thousands of dollars a year. It’s not all dark and gloomy, crypto mining is great learning opportunity as well. Case in point is our very own Steve Wilson who embarked on a business and technology project with his daughter. How many experiments teach about blockchain, operating efficiencies, and equipment depreciation?

 

Digital Parasites

 

Endpoints are targeted through the web browser – a telltale symptom is sluggishness, high CPU usage, and the whine of maxed-out RPM on the cooling fans. An example is afinding by independent security researcher William DeGroot, who “believes all of the 2,496 sites he tracked are running out-of-date software with known security vulnerabilities that have been exploited to give attackers control. Attackers, he said, then used their access to add code that surreptitiously harnesses the CPUs and electricity of visitors to generate the digital currency known as Monero.” Another variant is a “drive-by” cryptojacking – where a hidden and persistent popup hangs around even after closing the site.

 

Mobile devices and gadgets are also susceptible, even more so since the mining scripts can run in the background or are more difficult to identify. One example is the Android variant named ADB.Miner. It typically runs on rooted devices using the same scanning code as the Mirai botnet -using the same techniques to search for open and accessible devices. If successful, the malware proceeds to infect them and mine Monero while spreading to more devices. Mobile apps such as Minergate Mobile and dozens of others have been available since 2016 – downloadable right off the internet. Weaponized variants are typically installed on rooted or jailbroken devices or potentially on the hundreds of thousands of apps removed from the app stores.

 

Server-side attacks are the same as previous botnets – but retooled. Instead of pharma mail spam, ransomware, or DDoS attacks – the bots host apps like Minergate and Smominru. The apps run surreptitiously and regularly while checking in with the mining pool hosts in order to get new blocks and validate work. The payload may come in through via spam emails that contain attachments such as malicious Word documents. A common vector is RDP enabled internet facing servers with weak passwords and no multifactor authentication. Tools like Shodan clearly show how pervasive internet facing servers are. Tools that sniff all ports for RDP listeners – make quick work of security through obscurity of changing RDP ports. Using brute force dictionary attacks, it’s only a matter of time before simple passwords are cracked. Once they are in, expect that backdoor accounts and backup access methods are deployed. As with other attacks, server side cryptojacking can be more complex and more complicated once it spreads. If the attacker gets access to the infrastructure, he or she may provision additional servers – in cloud environments, expect to see new servers with high end specs and cost.

 

A more recent cryptojacking attack is WannaMine. As described by CrowdStrike: “WannaMine employs “living off the land” techniques such as Windows Management Instrumentation (WMI) permanent event subscriptions as a persistence mechanism. It also propagates via the EternalBlue exploit popularized by WannaCry. It’s fileless nature and use of legitimate system software such as WMI and PowerShell make it difficult, if not impossible, for organizations to block it without some form of next-generation antivirus.” As discussed in Martin Zugec’s blog post, blocking the EternalBlue exploit used to deliver the WannaCry ransomware and fileless attacks have been possible with Bitdefender HVI and Citrix XenServer since day one.

Back to the basics… but smarter

 

Defending against cryptojacking requires a holistic approach and building a security architecture with a secure digital perimeter. The approach must focus on prevention as well as detection. Citrix has partnered with multiple security companies that enhance endpoint, network, server, and cloud protection. Secure Web Gateway protects browsers by preventing access to malicious websites and malware – by integrating with NetStar to inspect the incoming payload and block as needed. Additionally, for exploit delivered payloads – integrations with Bitdefender provides Hypervisor Introspection for XenServer. For mobile endpoints, XenMobile’s integration with Symantec Endpoint Protection Mobile (formerly Skycure) is stopping the exploits before the payload is delivered.

Tags: CybersecurityTechnology
ShareTweet
Previous Post

Lackadaisical Employee Attitudes to Cyber Security are the Biggest Risks to Enterprises

Next Post

The Destructive nature of North Korean Cyber-Attacks

Recent News

UK Cyber Attacks Climb 34% as Ransomware Leadership Shifts, Check Point Research Reveals

July 13, 2026
Cyber Shield

UK Government Unveils AI Powered Cyber Shield to Strengthen National Cyber Defense

July 10, 2026
KnowBe4 phishing by industry

Healthcare, Hospitality and Construction Named UK’s Most Phishing-Prone Industries

July 10, 2026
hand typing on keyboard

CitrixBleed 2 exploited in repeatable attack chain culminating in DragonForce ransomware, researchers find

July 9, 2026

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol

  • About Us
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol