Attacks/Breaches

3/29/2018
09:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

University Networks Become Fertile Ground for Cryptomining

Sixty percent of cryptomining detections in a Vectra study occurred on higher-education networks.

Large, high-bandwidth university networks have become fertile ground for cryptomining activity by criminals and students, who are taking advantage of their free access to cash in on the crypto boom.

Automated threat management provider Vectra recently analyzed attack behavior patterns and trends from a sample of 246 of its enterprise customers across 14 industries, and it found that a startling 60% of all cryptocurrency mining detections occurred in higher-education networks.

In comparison, the entertainment and leisure sector, which ranked second, accounted for just 6% of all detections; the financial sector, often thought to be a popular target, had just 3%.

University networks — with their high-bandwidth capacities and large volume of students with relatively unprotected systems — make for an attractive target for cryptomining activity, says Chris Morales, Vectra's head of security analytics.

The tendency by students to use untrusted sites to download illegal movies and music, for instance, make their systems easy targets for hosting cryptomining software. The free access to the Internet and electric power that is available to students is another factor.

"Cryptocurrency mining converts electricity to monetary value by using computational resources," Morales says. "This is very expensive to accomplish without a free source of power and a lot of computing resources with minimal security controls that are exposed to the Internet."

University networks fit the bill and are ideal pastures for "cryptojackers" and for those looking to earn money performing cryptomining from their dorm rooms using their own personal systems, he says. "Even at the current value of $9,000 per bitcoin, it remains a lucrative temptation for both attackers and students with free electricity they can convert into monetary value."

Because the data Vectra collects is anonymized, it is hard to tell for sure to what extent students are engaged in cryptomining activity. "[But] we do know there is a mix of students and attackers performing cryptomining in university networks," based on information from university customers, Morales says.

Unlike corporate networks, which have strict security controls for curbing cryptocurrency mining, universities have few of the same measures. At best, they can advise students on how to protect themselves, help them clean infected systems, and create awareness of phishing emails, suspicious websites, and online ads, he says.

Vectra's data showed systems that were part of or connected to university networks had considerably more malicious behavior overall — like command and control communications, botnet activity, and lateral movement — than systems in other sectors.

Attacker behavior volumes, at 3,715 detections per 10,000 devices, was nearly 25% higher on university networks than on systems in the engineering industry, the sector with the second highest volume of malicious activity (2,918 detections per 10,000 devices).

Command and control activity in higher-education environments, at 2,205 detections per 10,000 devices, was nearly five times the industry average of 460 detections per 10,000 devices. Botnet activity accounted for 151 detections per 10,000 devices, compared with the industry average of 33 detections.

Attacker Behaviors

Vectra's data, gathered from some 4.5 million customer devices and workloads, adds to numerous other data sets over the years showing higher-education networks to be among the most poorly secured against threats compared with any other sector.

The data also showed what attackers generally tend to do once they gain access to a system or network. "Most security teams have in-depth knowledge of the techniques an attacker uses to get through the prevention layer," Morales says. "[Vectra's report] provides insight into the attacker behaviors they need to detect in order to stop active attacks in real time."

On average, organizations in Vectra's study had 818 devices exhibiting malicious behavior over a one-month period. Command and control activity accounted for the highest proportion of attack behaviors detected on compromised systems. In most cases, such activity represents the first stage of an attack, Morales says.

Other common malicious activities that Vectra detected included lateral movement, reconnaissance, data exfiltration, and botnet activity. Vectra's data showed that systems that are part of a botnet are being used in a variety of malicious ways, the most common of them being to serve ads. The vendor found that about 8% of the botnets are being used in bitcoin mining, while barely 2% are being used in distributed denial-of-service attacks.

"To me, the biggest point I noticed is that ransomware is not the biggest threat we are facing," Morales says.

Related Content:

 

Interop ITX 2018

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/5/2018 | 12:29:52 AM
Re: I can't understand all these stuff
@REISEN: Not to mention the fact that (as I understand it), you can't get certain jobs with the federal government or particular security clearances if you've pirated software or music -- and they do polygraph on that stuff. (Not that polygraphs are 100% reliable, but still.)
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/2/2018 | 3:37:44 PM
Internal threats
It's not just students et al. visiting bad-reputation sites. A lot of cryptomining activity on campuses occurs with a faculty member, student, or other staffer leveraging the university's HPC capabilities to mine Bitcoin and other cryptocurrencies. We've seen some headlines about this. Excellent way to get into trouble.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/2/2018 | 7:18:39 AM
Re: I can't understand all these stuff
College is a good hunting ground for this background activity as kids know nothing about the REAL world out there, think that internet cafe(s) are really fun and neat and just do not take security seriously.  When you are 20 years old, death is not an option nor a mortgage nor life responsibility.  I knew nothing about that when I was 20.  So they run loose and wild and don't know any better.
AnnaEverson
50%
50%
AnnaEverson,
User Rank: Strategist
3/29/2018 | 10:37:34 AM
I can't understand all these stuff
Oh so what is that for? What can I say( I don't understand anything) 
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Privacy Ops: The New Nexus for CISOs & DPOs
Amit Ashbel, Security Evangelist, Cognigo,  2/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1698
PUBLISHED: 2019-02-21
A vulnerability in the web-based user interface of Cisco Internet of Things Field Network Director (IoT-FND) Software could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External E...
CVE-2019-1700
PUBLISHED: 2019-02-21
A vulnerability in field-programmable gate array (FPGA) ingress buffer management for the Cisco Firepower 9000 Series with the Cisco Firepower 2-port 100G double-width network module (PID: FPR9K-DNM-2X100G) could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) conditio...
CVE-2019-6340
PUBLISHED: 2019-02-21
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RE...
CVE-2019-8996
PUBLISHED: 2019-02-21
In Signiant Manager+Agents before 13.5, the implementation of the set command has a Buffer Overflow.
CVE-2019-1681
PUBLISHED: 2019-02-21
A vulnerability in the TFTP service of Cisco Network Convergence System 1000 Series software could allow an unauthenticated, remote attacker to retrieve arbitrary files from the targeted device, possibly resulting in information disclosure. The vulnerability is due to improper validation of user-sup...