The following is a guest post by the 2019 Secure360 Twin Cities WiFi sponsor Cisco.
One of, if not the, most prominent motivators for threat actors is money. Whether it’s botnet owners renting out their services for DDoS attacks, tech support scammers cold-calling people to convince them there are problems with their computers, or point-of-sale Trojan horses siphoning off credit card numbers, making money is at the root of much of the threat-related activity we see today.
By far the most prominent money-making threat scheme of 2018 was cryptomining. This is a topic Cisco Talos threat intelligence has been researching for some time now. To the mind of an attacker, it’s almost the perfect crime: it hides behind the scenes, it requires little-to-no interaction from the target and can be highly lucrative.
But before we delve deeper into the threat aspect, let’s take two steps back and talk about cryptocurrencies and cryptomining.
What is cryptocurrency?
At the lowest of levels, cryptocurrencies are digital currencies that are unassociated with centralized banking systems, such as those run by various countries or economic zones around the world. Cryptocurrencies first rose to prominence around 10 years ago with the advent of Bitcoin. Today, the cryptocurrency market boasts thousands of different digital currencies.
One feature that has made cryptocurrencies so popular is the blockchain: the public, digital ledger used to validate the coins and transactions. A major draw of blockchain technology is that it is difficult to modify or tamper with, thanks to cryptography and its distributed nature, which help secure transactions using cryptocurrencies.
What is cryptomining?
Whether it’s referred to as coin mining, cryptocurrency mining, or cryptomining for short, this is the process by which new coins are created or earned. While there are slight variations between coins, mining is largely the process of validating transactions on the blockchain, whereby those carrying out the processing are paid a fee for their efforts. In effect, you can earn coins by helping to validate the blockchain and the transaction ledger contained within.
In some cryptocurrencies, such as Bitcoin, new coins can also be generated when a new block of transactions is added to the blockchain. This is an example of how new coins are “mined” while validating transactions on the blockchain.
What’s so bad about that?
In all actuality, nothing. Neither cryptocurrencies nor cryptomining are inherently malicious. There are plenty of well-intentioned people using cryptocurrencies and participating in cryptomining activities. The one key aspect that separates your regular, everyday cryptomining from what we consider malicious cryptomining: consent.
There is often little difference between cryptomining software that a user installs on their own and cryptomining software installed by a malicious actor. In fact, in many cases they’re exactly the same. The difference is that the malicious cryptomining software is running without the owner’s knowledge. And any software that runs on a device without the owner’s knowledge is cause for concern.
A wolf in sheep’s clothing is still a wolf
There are plenty of reasons to be concerned about malicious cryptomining.
As with any piece of software on a computer, cryptomining requires resources. And a piece of software that takes too many resources can have a negative impact on overall system performance. Plus, the use of extra resources requires extra power to facilitate it. It may not add up to much on one system but multiply the cost over the number of endpoints in an organization and you could see a noticeable rise in power costs.
Furthermore, there may be regulatory compliance implications when cryptominers are earning revenue on corporate networks. This holds especially true for those in the financial sector, where strict rules could apply to revenue generated using corporate resources, whether or not those in charge are aware of the practice.
Perhaps most worrying is that the presence of a malicious cryptomining infection could point to security holes in the network configuration or overall security policies, which could just as easily be exploited by attackers for other means. If a cryptomining infection is found on a network, what’s to stop other malicious threats from exploiting those same holes to carry out further malicious activity?
How does malicious cryptomining get on a device?
The methods used to deliver malicious cryptomining software are the same methods used to deliver other malicious threats. Naturally, as with any threat, if there’s a way to compromise a system, attackers will try it. These are just a few of the more common ways malicious cryptomining arrives on a device.
- Exploiting vulnerabilities in both endpoint and server-based applications.
- Employing botnets to spread cryptomining software to new and previously compromised devices.
- Sending emails that include malicious attachments.
- Utilizing adware threats that install browser plugins that can be used to perform cryptomining.
How do I prevent malicious cryptomining?
As with anything threat-related, a good security posture will go a long way from keeping malicious cryptomining at bay. Consider these preventative measures:
- To detect and block malicious cryptomining, advanced endpoint protection is needed and should be part of a broader defense strategy.
- You can utilize network security analytics to uncover where cryptomining activity may be occurring in your organization.
- To prevent cryptomining applications from being installed in the first place, block network connections to web sites known to participate in mining cryptocurrencies.
- DNS layer security can also be extremely effective in stopping cryptomining, preventing mining transactions from being sent back to the malicious actors.
Overall, if you practice a layered approach to security, with an effective line of defense that includes next-generation firewall, endpoint, security analytics, and DNS layers, you stand a better chance of detecting and preventing cryptomining infections on your network.
Money is and likely always will be one of the chief motivators for malicious actors in the threat landscape. In many ways malicious cryptomining can be looked at as a way for attackers to make a fast buck with little overhead, while the targets are less worried about the implications the threat on their devices when compared to others. Still, the indirect costs are nothing to ignore, and should be addressed regardless.
For more information, read Cisco’s whitepaper on how to defend your network from cryptomining. And as always, we welcome your comments below.