Aditya Birla Group Hit by Cryptojacking AttackAttack Infects 2,000 Computers; What Can Others Do to Mitigate Risks?
Aditya Birla Group, one of the largest conglomerates in India, has been cryptojacked, with more than 2,000 computers of various companies within the group affected, the Economic Times reports.
See Also: Role of Deception in the 'New Normal'
Cryptojacking is the infiltration of malware to enable browser-based mining of cryptocurrencies on infected websites (see Cryptojacking: Mitigating the Impact).
The attack was first detected about a month ago at one of the group's overseas subsidiaries. Within days, the malware found its way into some of the group's manufacturing and other services companies, the Economic Times reports.
In a statement, a company spokesperson says: "Aditya Birla Group has advance threat management systems that are constantly monitoring and protecting business critical applications and infrastructure in all businesses. Recently, the advanced threat detection systems of our group alerted us of suspicious activity on some desktop systems. Based on this, our internal team immediately carried out an investigation and deployed countermeasures to isolate and eliminate the cause of this activity."
The countermeasures limited the spread of the malware, the company states. "We also ascertained that there was no data loss due to this activity," according to the statement. "As an added assurance, we initiated a detailed forensic investigation which is nearing conclusion in respect of root cause analysis and preventive actions."
The incident is believed to be the first major cryptojacking attack in India.
"Crytojacking is a relatively new phenomenon. It has been on the rise since the middle of 2017. Though countries in the West have been impacted, it's surely a first for India if we consider the scale of attack," says a Pune-based security practitioner, who did not wish to be named.
The digital currency that was mined in the attack apparently was Monero. "Monero is relatively less scrutinized when compared to bitcoins. This could be the reason behind it being mostly used in cryptojacking," the practitioner says.
Cryptojacking Attack Process
Cryptojacking involves using the computing power of a targeted device to mine cryptocurrency. Mining refers to solving computationally intensive mathematical tasks, which are used to verify the blockchain, or public ledger, of transactions. As an incentive, anyone who mines for cryptocurrency has a chance of getting some cryptocurrency back as a reward.
"For a criminal, the motive behind cryptomining is using computing power of victims to make money while victims foot the electricity bill," says Jiten Jain, CEO at Voyager InfoSec, a software consultancy firm.
Not Easily Detectable
Apart from power usage, cryptojacking doesn't directly cause any harm to victims. "Affected users will notice their device slowing down due to the high CPU usage in addition to higher electricity bills. This process also generates a lot of heat, and we've seen physical damage of devices," says Vijay Nair, manager, forensics technology at KPMG Vietnam.
Detecting a cryptojacking attack can be difficult. "Even employee training is less effective in such cases," Nair says. "There are no particular sites which we can ask employees not to visit or anything in particular we can ask them not to do. Though when an attack is discovered, IT admins could temporarily ban the infected webpage until the fault gets rectified."
Jain explains: "It's very difficult to detect and stop modern cryptojacking attacks as they use harmless looking Java scripts. Since Java scripts are used by almost all websites and enabled by default in all browsers, it's easy to carry out cryptojacking attacks."
Among the key mitigation steps that can be taken are: using browser extensions that block mining scripts, adopting the browser isolation model and carefully monitoring endpoint devices' use of resources.
In a browser-based cryptojacking, a cryptocurrency mining code is embedded into a website, and site visitors run the mining code via their browser. So companies need to regularly review scripts run on their systems.