Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.



10:00 AM
Larry Loeb
Larry Loeb
Larry Loeb

Increased Cryptomining: a Toehold for Attackers

New research reveals that in the last nine months of 2018 there has been a 19x increase in cryptomining activity on the Internet.

Cisco Umbrella is said by the company to protect users from connecting to malicious sites on the Internet and analyzes over 175 billion domain name system (DNS) requests daily.

It has recently released research that shows that in the last nine months of 2018 there has been a 19x increase in cryptomining activity on the Internet. Cisco says that the total cryptomining activity they have observed has grown from approximately 600k queries in March 2018 to 11.3 million queries as of December 2018.

They found that distribution of crypto traffic is spread across all industries. The top verticals impacted were energy, education, healthcare, local government and media.

The research found that about a third of all cryptomining activity they observed is attributed to energy and utilities organizations. They think these sectors are likely to use outdated systems and software that is prone to vulnerabilities.

There were geographic clusters of this activity. The US accounted for 62% of the total cryptomining traffic, followed by Europe, Middle East and Africa (EMEA), which accounted for 6% of the total.

Ayse Kaya Firat, head of insights and analytics at Cisco, discussed the research with SecurityNow.

When asked about what sort of traffic was used in the analysis she said that, "In order to be flagged as cryptomining, the domains must involve traffic to/from the customers network. Domains that are related to cryptomining -- e.g., a site that mines cryptocurrency using their own machines -- but does not directly impact a customer's environment is not considered cryptomining impacting customers' networks. HashFlare, for example, uses its own computing power/machines to mine cryptocurrency for its users -- zero impact on customer devices or networks."

On the rapid rise of cryptomining activity, she had this perspective: "There is little overhead for malicious miners, since they are using victims' network bandwidth, computing power, and electricity to mine -- they care less about the efficiency of mining, mining difficulty, and market conditions, since they are not paying the bills. The only other factor that could be of significant influence is the fact that the cryptocurrency market is in a rapid state of innovation, where it is becoming easier to mine cryptocurrency with fewer lines of code -- lower and lower barriers to entry. In other words, it is becoming very easy to mine in a customer's environment with little upfront effort and a low probability of detection."

Firat looks at cryptomining as a toehold for an attacker. "If a bad actor is able to use malicious cryptomining software in a penetrated network then they have a backdoor and can initiate myriad other attacks that are potentially even more profitable, whenever they please."

Firat also sees some ways for an enterprise to protect themselves: "There are a few ways organizations can protect against cryptomining. First, they should make sure to have robust passwords for cloud services like AWS, Azure, etc. and rotate passwords frequently. It is important for businesses to protect their environment by looking for both web-based miners and cryptomining software such as Honeyminer, which makes DNS queries. DNS-level identification (examining DNS query logs) is a great way to easily determine if an environment has a cryptomining problem or not."

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.