Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Matt Downing
Matt Downing
Connect Directly
E-Mail vvv

5 Steps to Fight Unauthorized Cryptomining

This compromise feels like a mere annoyance, but it can open the door to real trouble.

As a CISO or cybersecurity pro, you could notice one day that "something is different" because your users' computers are slowing down. Or — with a little sleuthing — you may discover that your organization's power bill has suddenly soared by hundreds or even thousands of dollars.

At this point, it's possible that cryptominers have compromised your enterprise network and/or web environment. But there is no immediate need to panic. Cryptominers typically aren't looking to steal sensitive data or intentionally disrupt operations. They want to take your computing resources and use them to surreptitiously mine for cryptocurrency.

On the surface, this might seem like a "no harm/no foul" crime. However, the potential for risk is equivalent to that of any botnet, malware, ransomware, or other malicious threat. When cryptominers successfully compromise your network or cloud environment, they are hijacking the resources your organization pays for, while possibly setting the stage for expanded exploitation or, at minimum, evidence that there is a security gap that others could exploit.

Bitcoin's valuation — which peaked at $20,000 in December 2017 — soared, and interest in cryptomining followed suit. Even if the valuations of cryptocurrenices have declined since then, the overall market is projected to reach $1 trillion this year, up from about $417 billion in February.

Hackers keep "borrowing" computing power because it takes plenty of processing power to solve the complex mathematical equations required to create the digital coins. Bitcoin's network alone currently consumes at least 2.55 gigawatts of electricity, and probably will reach 7.67 gigawatts sometime this year, according to research published by Alex de Vries, blockchain specialist for PwC. (To put this in context, the nation of Austria uses 8.2 gigawatts.)

The insatiable need for power drives hackers to infect cloud environments and enterprise networks purely to exploit computing resources. Over the past year, cryptomining hackers have compromised the Amazon Web Services (AWS) and Microsoft Azure environments of organizations such as Aviva, a British multinational insurance company; Gemalto, the world's largest manufacturer of smart cards; and Tesla, the electric vehicle and solar energy manufacturer, according to researchers from RedLock, a cloud monitoring and defense firm.

To gain further enterprise-level access to the power, attackers embed miner scripts in websites so they can tap the computing resources of many computers without installing malware on each of them, according to Kaspersky Lab. They're also embedding the scripts in YouTube ads to spread them via multiple pages and videos without the attackers having to do anything.

The activity is pervasive: Nearly 49,000 websites host some kind of cryptocurrency mining malware, according to research from the Bad Packets Report. More than four out of five of the sites use Coinhive, which mines for the Monero cryptocurrency. Hackers favor Monero because its transactions are essentially untraceable, and it is still feasible to mine Monero on commodity hardware, unlike Bitcoin, which requires specialized equipment.

What's more, not all of the hacking is benign: In May, 360 Total Security announced that it had discovered malware that it named WinstarNssmMiner, a new form of Monero miner that crashes systems when antivirus products attempt to remove it. 360 Total Security reported during the announcement that it had intercepted WinstarNssmMiner attacks more than 500,000 times over a three-day period.

Any vulnerable application will targeted, and any weakly secured interface will be exploited. Fortunately, preventing most of these attacks simply requires good cyber hygiene, which should include the following steps:

1. Update antivirus signatures and patches. Despite the relatively "new" and "hot" status of cryptomining, these attacks are straightforward. They work just as traditional malware works using slightly modified commodity mining software, and use standard protocols to communicate with mining servers. If your antivirus signatures are current, there is a good chance you will detect infections. The safest course of action is to keep your hosts patched up. Prioritize externally facing hosts and vulnerabilities that have publicly disclosed exploits.

2. Use the latest versions for software and apps. Similarly, if you're deploying the latest version of these products from vendors, you improve the chances of defending your organization from cryptominers seeking to exploit via vulnerabilities in older products.

3. Avoid unauthenticated platforms and application programming interfaces (APIs). By default, they are unsecured, and hackers can manage them remotely. At Alert Logic, for instance, we found attackers targeting exposed unauthenticated Docker Daemon APIs, with the attacker's "haul" totaling 175 Monero, which, at the time, equaled about $35,000. Enabling authentication and not exposing these services directly to the Internet should be your only acceptable deployment strategy.

4. Keep your cloud credentials out of the public side of GitHub. Attackers are aware that a rich source of AWS keys comes from monitoring GitHub. It takes minutes for an attacker to spin up hundreds of instances on your account after an errant commit that includes credentials. Ensure your developers are not using public Github repositories for production or test code in general, and especially not credentials to your cloud infrastructure.

5. Monitor Windows Task Manager. Task Manager will reveal whether your CPUs are going into overdrive. "Normal" utilization for the cloud is up to 80% percent of CPU capacity during working hours. But cryptominers will go full-throttle, seeking 100% utilization 24/7/365. When you see such spikes across your environment, you can safely assume that you have a malware situation.

As shown, this isn't the kind of compromise that should keep you up at night. So far, the impact of cryptomining amounts to more of an annoyance and additional cost burden than anything else. But an infection is an infection, and an exposure that opens the door to these attackers speaks to the overall defense of your entire cyber ecosystem. By addressing the "basics" illustrated in the steps here, you're sending a clear message to cryptominers: There's no money to be made here, so move along.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Matt Downing is a Principal Threat Researcher at Alert Logic. In this role, he investigates the tactics and techniques hackers employ to attack Alert Logic's wide customer base. He has previously held various technical and security roles in the financial sector and Department ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.