Increased Cryptomining: a Toehold for Attackers

Cisco Umbrella is said by the company to protect users from connecting to malicious sites on the Internet and analyzes over 175 billion domain name system (DNS) requests daily.

It has recently released research that shows that in the last nine months of 2018 there has been a 19x increase in cryptomining activity on the Internet. Cisco says that the total cryptomining activity they have observed has grown from approximately 600k queries in March 2018 to 11.3 million queries as of December 2018.

They found that distribution of crypto traffic is spread across all industries. The top verticals impacted were energy, education, healthcare, local government and media.

The research found that about a third of all cryptomining activity they observed is attributed to energy and utilities organizations. They think these sectors are likely to use outdated systems and software that is prone to vulnerabilities.

There were geographic clusters of this activity. The US accounted for 62% of the total cryptomining traffic, followed by Europe, Middle East and Africa (EMEA), which accounted for 6% of the total.

Ayse Kaya Firat, head of insights and analytics at Cisco, discussed the research with SecurityNow.

When asked about what sort of traffic was used in the analysis she said that, "In order to be flagged as cryptomining, the domains must involve traffic to/from the customers network. Domains that are related to cryptomining -- e.g., a site that mines cryptocurrency using their own machines -- but does not directly impact a customer's environment is not considered cryptomining impacting customers' networks. HashFlare, for example, uses its own computing power/machines to mine cryptocurrency for its users -- zero impact on customer devices or networks."

On the rapid rise of cryptomining activity, she had this perspective: "There is little overhead for malicious miners, since they are using victims' network bandwidth, computing power, and electricity to mine -- they care less about the efficiency of mining, mining difficulty, and market conditions, since they are not paying the bills. The only other factor that could be of significant influence is the fact that the cryptocurrency market is in a rapid state of innovation, where it is becoming easier to mine cryptocurrency with fewer lines of code -- lower and lower barriers to entry. In other words, it is becoming very easy to mine in a customer's environment with little upfront effort and a low probability of detection."

Firat looks at cryptomining as a toehold for an attacker. "If a bad actor is able to use malicious cryptomining software in a penetrated network then they have a backdoor and can initiate myriad other attacks that are potentially even more profitable, whenever they please."

Firat also sees some ways for an enterprise to protect themselves: "There are a few ways organizations can protect against cryptomining. First, they should make sure to have robust passwords for cloud services like AWS, Azure, etc. and rotate passwords frequently. It is important for businesses to protect their environment by looking for both web-based miners and cryptomining software such as Honeyminer, which makes DNS queries. DNS-level identification (examining DNS query logs) is a great way to easily determine if an environment has a cryptomining problem or not."

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.