Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Matt Downing
Matt Downing
Connect Directly
E-Mail vvv

5 Steps to Fight Unauthorized Cryptomining

This compromise feels like a mere annoyance, but it can open the door to real trouble.

As a CISO or cybersecurity pro, you could notice one day that "something is different" because your users' computers are slowing down. Or — with a little sleuthing — you may discover that your organization's power bill has suddenly soared by hundreds or even thousands of dollars.

At this point, it's possible that cryptominers have compromised your enterprise network and/or web environment. But there is no immediate need to panic. Cryptominers typically aren't looking to steal sensitive data or intentionally disrupt operations. They want to take your computing resources and use them to surreptitiously mine for cryptocurrency.

On the surface, this might seem like a "no harm/no foul" crime. However, the potential for risk is equivalent to that of any botnet, malware, ransomware, or other malicious threat. When cryptominers successfully compromise your network or cloud environment, they are hijacking the resources your organization pays for, while possibly setting the stage for expanded exploitation or, at minimum, evidence that there is a security gap that others could exploit.

Bitcoin's valuation — which peaked at $20,000 in December 2017 — soared, and interest in cryptomining followed suit. Even if the valuations of cryptocurrenices have declined since then, the overall market is projected to reach $1 trillion this year, up from about $417 billion in February.

Hackers keep "borrowing" computing power because it takes plenty of processing power to solve the complex mathematical equations required to create the digital coins. Bitcoin's network alone currently consumes at least 2.55 gigawatts of electricity, and probably will reach 7.67 gigawatts sometime this year, according to research published by Alex de Vries, blockchain specialist for PwC. (To put this in context, the nation of Austria uses 8.2 gigawatts.)

The insatiable need for power drives hackers to infect cloud environments and enterprise networks purely to exploit computing resources. Over the past year, cryptomining hackers have compromised the Amazon Web Services (AWS) and Microsoft Azure environments of organizations such as Aviva, a British multinational insurance company; Gemalto, the world's largest manufacturer of smart cards; and Tesla, the electric vehicle and solar energy manufacturer, according to researchers from RedLock, a cloud monitoring and defense firm.

To gain further enterprise-level access to the power, attackers embed miner scripts in websites so they can tap the computing resources of many computers without installing malware on each of them, according to Kaspersky Lab. They're also embedding the scripts in YouTube ads to spread them via multiple pages and videos without the attackers having to do anything.

The activity is pervasive: Nearly 49,000 websites host some kind of cryptocurrency mining malware, according to research from the Bad Packets Report. More than four out of five of the sites use Coinhive, which mines for the Monero cryptocurrency. Hackers favor Monero because its transactions are essentially untraceable, and it is still feasible to mine Monero on commodity hardware, unlike Bitcoin, which requires specialized equipment.

What's more, not all of the hacking is benign: In May, 360 Total Security announced that it had discovered malware that it named WinstarNssmMiner, a new form of Monero miner that crashes systems when antivirus products attempt to remove it. 360 Total Security reported during the announcement that it had intercepted WinstarNssmMiner attacks more than 500,000 times over a three-day period.

Any vulnerable application will targeted, and any weakly secured interface will be exploited. Fortunately, preventing most of these attacks simply requires good cyber hygiene, which should include the following steps:

1. Update antivirus signatures and patches. Despite the relatively "new" and "hot" status of cryptomining, these attacks are straightforward. They work just as traditional malware works using slightly modified commodity mining software, and use standard protocols to communicate with mining servers. If your antivirus signatures are current, there is a good chance you will detect infections. The safest course of action is to keep your hosts patched up. Prioritize externally facing hosts and vulnerabilities that have publicly disclosed exploits.

2. Use the latest versions for software and apps. Similarly, if you're deploying the latest version of these products from vendors, you improve the chances of defending your organization from cryptominers seeking to exploit via vulnerabilities in older products.

3. Avoid unauthenticated platforms and application programming interfaces (APIs). By default, they are unsecured, and hackers can manage them remotely. At Alert Logic, for instance, we found attackers targeting exposed unauthenticated Docker Daemon APIs, with the attacker's "haul" totaling 175 Monero, which, at the time, equaled about $35,000. Enabling authentication and not exposing these services directly to the Internet should be your only acceptable deployment strategy.

4. Keep your cloud credentials out of the public side of GitHub. Attackers are aware that a rich source of AWS keys comes from monitoring GitHub. It takes minutes for an attacker to spin up hundreds of instances on your account after an errant commit that includes credentials. Ensure your developers are not using public Github repositories for production or test code in general, and especially not credentials to your cloud infrastructure.

5. Monitor Windows Task Manager. Task Manager will reveal whether your CPUs are going into overdrive. "Normal" utilization for the cloud is up to 80% percent of CPU capacity during working hours. But cryptominers will go full-throttle, seeking 100% utilization 24/7/365. When you see such spikes across your environment, you can safely assume that you have a malware situation.

As shown, this isn't the kind of compromise that should keep you up at night. So far, the impact of cryptomining amounts to more of an annoyance and additional cost burden than anything else. But an infection is an infection, and an exposure that opens the door to these attackers speaks to the overall defense of your entire cyber ecosystem. By addressing the "basics" illustrated in the steps here, you're sending a clear message to cryptominers: There's no money to be made here, so move along.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Matt Downing is a Principal Threat Researcher at Alert Logic. In this role, he investigates the tactics and techniques hackers employ to attack Alert Logic's wide customer base. He has previously held various technical and security roles in the financial sector and Department ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...