Yes, We Used a Router to Fry an Egg and Here’s Why

If chef Gordon Ramsay ever finds himself short of pots and pans, he can always whip up a quick meal with the help of a router.

That’s what we did at Black Hat USA 2018 at the Mandalay Bay Convention Center in Las Vegas this week, frying an egg on top of a generic router at the Symantec booth. It took about 10 minutes to get an egg to sizzle on top of a dangerously hot piece of hardware. While our team didn’t convince any passersby to trade in their favorite grills, there was a serious purpose behind our fun simulation.

We were on hand to show one of the more dramatic consequences of being cryptojacked. Cryptojacking is an attack where a cyber criminal hijacks your machine – PCs, cloud-based servers, smartphones and IoT devices – in order to use the processing power without your permission to mine for cryptocurrency. What was important to demonstrate with our simulation was to visually show why everyone should take cryptojacking seriously. While most users may be unaware about the heat that a device can generate through cryptomining, the temperatures can be painfully hot to the touch. Indeed, the generic router we used in our tests reached 150 degrees Fahrenheit. That’s hot enough to cook not just eggs, but also meat, poultry and fish.

Cryptojacking affects both consumers and enterprises, and our simulation was meant to educate everyone on the dangers associated with this emerging threat. Attackers are using your electricity and resources without you knowing and they’re profiting from it.

For consumers, malicious cryptominers can slow devices, overheat batteries, and in some cases, render devices unusable. For enterprises, malicious cryptominers can put corporate networks at risk of shutdown and inflate cloud CPU usage, adding cost.

A Threat Long in the Making

To understand cryptojacking, one must understand the origins of cryptomining, which refers to the practice of using a device’s computing power to solve a predetermined math problem and earn a piece of cryptocurrency.

Some trace the cryptomining phenomenon to the 2011 release of Bitcoin Plus, which deployed JavaScript code for pooled mining. Fast-forward to today, and website owners are signing up for the service and then embedding mining scripts into web pages and network traffic to make page visitors mine for them. The subsequent debut of a cryptocurrency called Monero also contributed to the popularity of cryptomining. Monero was designed to be mined on low-powered devices and could work inside of a web browser without needing special software.

By the latter part of 2017, though, cryptomining boomed as the price of popular cryptocurrencies, such as Bitcoin and Ethereum, skyrocketed. There was money to be made, the price of entry was negligible and the ability to fly under the radar made it a prized weapon for attackers. Enter cryptojacking.

And, as Symantec’s 2018 Internet Security Threat Report (ISTR) explains, consumers and enterprises should prepare for even more attacks. Here’s why:

• Low barrier to entry: Symantec observed an 8,500 percent increase in cryptojacking attacks last year. You don’t need a lot of technical skill. It only requires a couple lines of code to operate a malicious cryptominer.
• IoT devices are ripe targets for exploitation: Symantec found a 600 percent increase in IoT attacks in 2017, which means that cyber criminals could exploit the connected nature of these devices to mine en masse.
• Macs are not immune: In 2017, Symantec detected an 80 percent increase in cryptojacking attacks against Mac OS. By leveraging browser-based attacks, cyber criminals do not need to download malware to a victim’s Mac to carry out cyber attacks.

Worst-Case Scenarios

So, what could go wrong? A lot.

As attackers leverage infected systems for cryptojacking, they increase the stress put on servers and endpoints, including telephones, switches and routers.

And while cryptojacking is thought of as an attack affecting consumers, cyber criminals have moved to the targeting of enterprises. By spreading though a corporate network, attackers can compromise hundreds of powerful machines and potentially make a bigger profit.

Imagine a data center full of machines overheating. It may not be equipped to handle devices that reach 100 percent utilization in mere seconds. Most data centers were not designed to run at maximum 24x7 capacity. Malicious cryptominers put massive amounts of wear and tear on units that were not built to handle that sort of workload. Not to mention the increased risk in interrupted business operations.

It’s not hard to imagine that even if 20 percent of a large data center was taken over by malicious cryptominers, it could mean cascading outages due to loss of cooling capacity or even power. Unfortunately, many devices that wind up deployed in network environments get insufficient attention when it comes to security features, such as thermal overload protection. So, when these devices get shoved into corners without adequate air circulation, there are higher odds of melting down.

Besides the heightened risk of overheating and malfunctions occurring with devices that are cryptojacked, consider how consumers might be impacted if a cell phone is now working at maximum capacity around the clock and becomes unresponsive. Imagine what happens when there’s an emergency requiring you to dial 911. If your phone isn’t immediately responsive or needs a reboot, what then? Or imagine a device in your purse or pocket that’s hot enough to cook an egg. Those scenarios have potentially dangerous implications for consumers. 

Consumers also need to consider that their laptops and desktops, as well as their mobile and IoT devices are some of the most popular targets for cryptojacking. Browser-based cryptominers (which involves coinmining on a web browser) can generate around 1 cent per 24 hours, whereas file-based cryptominers (which involves downloading and running a dedicated executable file on your computer) can generate 25 cents per day. This means a botnet of 10,000 infected machines can generate up to $75,000 per month. Of course, the amount of money generated fluctuates with the price of cryptocurrencies.

A cryptocurrency miner is not a virus and it’s not malware. It’s the way it could be used that turns it malicious.  Many people engage in the activity legally. But some may fall to the temptation of using “spare” company resources, failing to connect the dots and understand the ramifications of cryptojacking. They may not feel that they’re doing anything wrong by stealing processing power of a device, just as in the past many people didn’t believe they were stealing music when they were illegally downloading MP3 files from Napster. But if someone’s cryptojacking, they’re still putting wear and tear on that machine and shortening its longevity.

Or, in our case, frying an egg.

Best Practices

To make sure your devices aren’t compromised, we recommend the following:

Consumers:

• Install a strong internet security software suite to help protect against cryptojacking threats as well as phishing attacks, malicious attachments and links.
• Educate yourself on cryptojacking and consider installing ad-blocking or anti-cryptomining extensions on web browsers for an extra layer of protection against potentially unwanted applications (PUA). As always, be sure to remain wary of phishing emails, unknown attachments, and dubious links.
• Install the latest patches on your devices, use strong passwords and enable two-factor authentication.

Enterprises:

• Know your environment. Be aware how frequently end users report slow performance. React and investigate for miners if complaints increase.
• Defend web servers to prevent an attacker from adding Coinhive-style mining scripts to your websites.
• Apply all available vendor patches. Many miners that gain entry to an organization can move and execute by exploiting vulnerabilities for which patches already exist.
• Monitor network logs (IPS logs, DNS logs, firewall logs) for suspicious outgoing connections to mining-related IP addresses. Block these addresses at the corporate firewall, and consider suspicious any computer that continues to access those addresses.
• Lock down RDP access and frequently replace all user passwords—especially users with admin access—with new, strong passwords.
• Run a recent release of PowerShell (5 or higher), and configure it to log detailed activity.
• Secure your computers' built-in Windows Management Instrumentation (WMI). Attackers, including those seeking to mine coins, increasingly abuse this technology. Administrators should consider creating Group Policy Objects (GPO) or firewall rules to prevent unauthorized remote WMI actions, and perhaps control access by user accounts. See Microsoft's guidance in Maintaining WMI Security.