Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/29/2018
09:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

University Networks Become Fertile Ground for Cryptomining

Sixty percent of cryptomining detections in a Vectra study occurred on higher-education networks.

Large, high-bandwidth university networks have become fertile ground for cryptomining activity by criminals and students, who are taking advantage of their free access to cash in on the crypto boom.

Automated threat management provider Vectra recently analyzed attack behavior patterns and trends from a sample of 246 of its enterprise customers across 14 industries, and it found that a startling 60% of all cryptocurrency mining detections occurred in higher-education networks.

In comparison, the entertainment and leisure sector, which ranked second, accounted for just 6% of all detections; the financial sector, often thought to be a popular target, had just 3%.

University networks — with their high-bandwidth capacities and large volume of students with relatively unprotected systems — make for an attractive target for cryptomining activity, says Chris Morales, Vectra's head of security analytics.

The tendency by students to use untrusted sites to download illegal movies and music, for instance, make their systems easy targets for hosting cryptomining software. The free access to the Internet and electric power that is available to students is another factor.

"Cryptocurrency mining converts electricity to monetary value by using computational resources," Morales says. "This is very expensive to accomplish without a free source of power and a lot of computing resources with minimal security controls that are exposed to the Internet."

University networks fit the bill and are ideal pastures for "cryptojackers" and for those looking to earn money performing cryptomining from their dorm rooms using their own personal systems, he says. "Even at the current value of $9,000 per bitcoin, it remains a lucrative temptation for both attackers and students with free electricity they can convert into monetary value."

Because the data Vectra collects is anonymized, it is hard to tell for sure to what extent students are engaged in cryptomining activity. "[But] we do know there is a mix of students and attackers performing cryptomining in university networks," based on information from university customers, Morales says.

Unlike corporate networks, which have strict security controls for curbing cryptocurrency mining, universities have few of the same measures. At best, they can advise students on how to protect themselves, help them clean infected systems, and create awareness of phishing emails, suspicious websites, and online ads, he says.

Vectra's data showed systems that were part of or connected to university networks had considerably more malicious behavior overall — like command and control communications, botnet activity, and lateral movement — than systems in other sectors.

Attacker behavior volumes, at 3,715 detections per 10,000 devices, was nearly 25% higher on university networks than on systems in the engineering industry, the sector with the second highest volume of malicious activity (2,918 detections per 10,000 devices).

Command and control activity in higher-education environments, at 2,205 detections per 10,000 devices, was nearly five times the industry average of 460 detections per 10,000 devices. Botnet activity accounted for 151 detections per 10,000 devices, compared with the industry average of 33 detections.

Attacker Behaviors

Vectra's data, gathered from some 4.5 million customer devices and workloads, adds to numerous other data sets over the years showing higher-education networks to be among the most poorly secured against threats compared with any other sector.

The data also showed what attackers generally tend to do once they gain access to a system or network. "Most security teams have in-depth knowledge of the techniques an attacker uses to get through the prevention layer," Morales says. "[Vectra's report] provides insight into the attacker behaviors they need to detect in order to stop active attacks in real time."

On average, organizations in Vectra's study had 818 devices exhibiting malicious behavior over a one-month period. Command and control activity accounted for the highest proportion of attack behaviors detected on compromised systems. In most cases, such activity represents the first stage of an attack, Morales says.

Other common malicious activities that Vectra detected included lateral movement, reconnaissance, data exfiltration, and botnet activity. Vectra's data showed that systems that are part of a botnet are being used in a variety of malicious ways, the most common of them being to serve ads. The vendor found that about 8% of the botnets are being used in bitcoin mining, while barely 2% are being used in distributed denial-of-service attacks.

"To me, the biggest point I noticed is that ransomware is not the biggest threat we are facing," Morales says.

Related Content:

 

Interop ITX 2018

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
AnnaEverson
50%
50%
AnnaEverson,
User Rank: Strategist
3/29/2018 | 10:37:34 AM
I can't understand all these stuff
Oh so what is that for? What can I say( I don't understand anything) 
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/2/2018 | 7:18:39 AM
Re: I can't understand all these stuff
College is a good hunting ground for this background activity as kids know nothing about the REAL world out there, think that internet cafe(s) are really fun and neat and just do not take security seriously.  When you are 20 years old, death is not an option nor a mortgage nor life responsibility.  I knew nothing about that when I was 20.  So they run loose and wild and don't know any better.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/5/2018 | 12:29:52 AM
Re: I can't understand all these stuff
@REISEN: Not to mention the fact that (as I understand it), you can't get certain jobs with the federal government or particular security clearances if you've pirated software or music -- and they do polygraph on that stuff. (Not that polygraphs are 100% reliable, but still.)
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/2/2018 | 3:37:44 PM
Internal threats
It's not just students et al. visiting bad-reputation sites. A lot of cryptomining activity on campuses occurs with a faculty member, student, or other staffer leveraging the university's HPC capabilities to mine Bitcoin and other cryptocurrencies. We've seen some headlines about this. Excellent way to get into trouble.
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18934
PUBLISHED: 2019-11-19
Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec module that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with `--enable-ipsecmod` support, and ipsecmod is enabled and used in the configuration.
CVE-2012-6070
PUBLISHED: 2019-11-19
Falconpl before 0.9.6.9-git20120606 misuses the libcurl API which may allow remote attackers to interfere with security checks.
CVE-2012-6071
PUBLISHED: 2019-11-19
nuSOAP before 0.7.3-5 does not properly check the hostname of a cert.
CVE-2012-6135
PUBLISHED: 2019-11-19
RubyGems passenger 4.0.0 betas 1 and 2 allows remote attackers to delete arbitrary files during the startup process.
CVE-2016-10002
PUBLISHED: 2019-11-19
Node-cookie-signature before 1.0.6 is affected by a timing attack due to the type of comparison used.