Attacks/Breaches

3/29/2018
09:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

University Networks Become Fertile Ground for Cryptomining

Sixty percent of cryptomining detections in a Vectra study occurred on higher-education networks.

Large, high-bandwidth university networks have become fertile ground for cryptomining activity by criminals and students, who are taking advantage of their free access to cash in on the crypto boom.

Automated threat management provider Vectra recently analyzed attack behavior patterns and trends from a sample of 246 of its enterprise customers across 14 industries, and it found that a startling 60% of all cryptocurrency mining detections occurred in higher-education networks.

In comparison, the entertainment and leisure sector, which ranked second, accounted for just 6% of all detections; the financial sector, often thought to be a popular target, had just 3%.

University networks — with their high-bandwidth capacities and large volume of students with relatively unprotected systems — make for an attractive target for cryptomining activity, says Chris Morales, Vectra's head of security analytics.

The tendency by students to use untrusted sites to download illegal movies and music, for instance, make their systems easy targets for hosting cryptomining software. The free access to the Internet and electric power that is available to students is another factor.

"Cryptocurrency mining converts electricity to monetary value by using computational resources," Morales says. "This is very expensive to accomplish without a free source of power and a lot of computing resources with minimal security controls that are exposed to the Internet."

University networks fit the bill and are ideal pastures for "cryptojackers" and for those looking to earn money performing cryptomining from their dorm rooms using their own personal systems, he says. "Even at the current value of $9,000 per bitcoin, it remains a lucrative temptation for both attackers and students with free electricity they can convert into monetary value."

Because the data Vectra collects is anonymized, it is hard to tell for sure to what extent students are engaged in cryptomining activity. "[But] we do know there is a mix of students and attackers performing cryptomining in university networks," based on information from university customers, Morales says.

Unlike corporate networks, which have strict security controls for curbing cryptocurrency mining, universities have few of the same measures. At best, they can advise students on how to protect themselves, help them clean infected systems, and create awareness of phishing emails, suspicious websites, and online ads, he says.

Vectra's data showed systems that were part of or connected to university networks had considerably more malicious behavior overall — like command and control communications, botnet activity, and lateral movement — than systems in other sectors.

Attacker behavior volumes, at 3,715 detections per 10,000 devices, was nearly 25% higher on university networks than on systems in the engineering industry, the sector with the second highest volume of malicious activity (2,918 detections per 10,000 devices).

Command and control activity in higher-education environments, at 2,205 detections per 10,000 devices, was nearly five times the industry average of 460 detections per 10,000 devices. Botnet activity accounted for 151 detections per 10,000 devices, compared with the industry average of 33 detections.

Attacker Behaviors

Vectra's data, gathered from some 4.5 million customer devices and workloads, adds to numerous other data sets over the years showing higher-education networks to be among the most poorly secured against threats compared with any other sector.

The data also showed what attackers generally tend to do once they gain access to a system or network. "Most security teams have in-depth knowledge of the techniques an attacker uses to get through the prevention layer," Morales says. "[Vectra's report] provides insight into the attacker behaviors they need to detect in order to stop active attacks in real time."

On average, organizations in Vectra's study had 818 devices exhibiting malicious behavior over a one-month period. Command and control activity accounted for the highest proportion of attack behaviors detected on compromised systems. In most cases, such activity represents the first stage of an attack, Morales says.

Other common malicious activities that Vectra detected included lateral movement, reconnaissance, data exfiltration, and botnet activity. Vectra's data showed that systems that are part of a botnet are being used in a variety of malicious ways, the most common of them being to serve ads. The vendor found that about 8% of the botnets are being used in bitcoin mining, while barely 2% are being used in distributed denial-of-service attacks.

"To me, the biggest point I noticed is that ransomware is not the biggest threat we are facing," Morales says.

Related Content:

 

Interop ITX 2018

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/5/2018 | 12:29:52 AM
Re: I can't understand all these stuff
@REISEN: Not to mention the fact that (as I understand it), you can't get certain jobs with the federal government or particular security clearances if you've pirated software or music -- and they do polygraph on that stuff. (Not that polygraphs are 100% reliable, but still.)
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/2/2018 | 3:37:44 PM
Internal threats
It's not just students et al. visiting bad-reputation sites. A lot of cryptomining activity on campuses occurs with a faculty member, student, or other staffer leveraging the university's HPC capabilities to mine Bitcoin and other cryptocurrencies. We've seen some headlines about this. Excellent way to get into trouble.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/2/2018 | 7:18:39 AM
Re: I can't understand all these stuff
College is a good hunting ground for this background activity as kids know nothing about the REAL world out there, think that internet cafe(s) are really fun and neat and just do not take security seriously.  When you are 20 years old, death is not an option nor a mortgage nor life responsibility.  I knew nothing about that when I was 20.  So they run loose and wild and don't know any better.
AnnaEverson
50%
50%
AnnaEverson,
User Rank: Strategist
3/29/2018 | 10:37:34 AM
I can't understand all these stuff
Oh so what is that for? What can I say( I don't understand anything) 
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I'm not sure I like this top down management approach!"
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17332
PUBLISHED: 2018-09-22
An issue was discovered in libsvg2 through 2012-10-19. The svgGetNextPathField function in svg_string.c returns its input pointer in certain circumstances, which might result in a memory leak caused by wasteful malloc calls.
CVE-2018-17333
PUBLISHED: 2018-09-22
An issue was discovered in libsvg2 through 2012-10-19. A stack-based buffer overflow in svgStringToLength in svg_types.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact because sscanf is misused.
CVE-2018-17334
PUBLISHED: 2018-09-22
An issue was discovered in libsvg2 through 2012-10-19. A stack-based buffer overflow in the svgGetNextPathField function in svg_string.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact because a strncpy copy limit is miscalculated.
CVE-2018-17336
PUBLISHED: 2018-09-22
UDisks 2.8.0 has a format string vulnerability in udisks_log in udiskslogging.c, allowing attackers to obtain sensitive information (stack contents), cause a denial of service (memory corruption), or possibly have unspecified other impact via a malformed filesystem label, as demonstrated by %d or %n...
CVE-2018-17321
PUBLISHED: 2018-09-22
An issue was discovered in SeaCMS 6.64. XSS exists in admin_datarelate.php via the time or maxHit parameter in a dorandomset action.