10:30 AM
Matt Downing
Matt Downing
Connect Directly
E-Mail vvv

5 Steps to Fight Unauthorized Cryptomining

This compromise feels like a mere annoyance, but it can open the door to real trouble.

As a CISO or cybersecurity pro, you could notice one day that "something is different" because your users' computers are slowing down. Or — with a little sleuthing — you may discover that your organization's power bill has suddenly soared by hundreds or even thousands of dollars.

At this point, it's possible that cryptominers have compromised your enterprise network and/or web environment. But there is no immediate need to panic. Cryptominers typically aren't looking to steal sensitive data or intentionally disrupt operations. They want to take your computing resources and use them to surreptitiously mine for cryptocurrency.

On the surface, this might seem like a "no harm/no foul" crime. However, the potential for risk is equivalent to that of any botnet, malware, ransomware, or other malicious threat. When cryptominers successfully compromise your network or cloud environment, they are hijacking the resources your organization pays for, while possibly setting the stage for expanded exploitation or, at minimum, evidence that there is a security gap that others could exploit.

Bitcoin's valuation — which peaked at $20,000 in December 2017 — soared, and interest in cryptomining followed suit. Even if the valuations of cryptocurrenices have declined since then, the overall market is projected to reach $1 trillion this year, up from about $417 billion in February.

Hackers keep "borrowing" computing power because it takes plenty of processing power to solve the complex mathematical equations required to create the digital coins. Bitcoin's network alone currently consumes at least 2.55 gigawatts of electricity, and probably will reach 7.67 gigawatts sometime this year, according to research published by Alex de Vries, blockchain specialist for PwC. (To put this in context, the nation of Austria uses 8.2 gigawatts.)

The insatiable need for power drives hackers to infect cloud environments and enterprise networks purely to exploit computing resources. Over the past year, cryptomining hackers have compromised the Amazon Web Services (AWS) and Microsoft Azure environments of organizations such as Aviva, a British multinational insurance company; Gemalto, the world's largest manufacturer of smart cards; and Tesla, the electric vehicle and solar energy manufacturer, according to researchers from RedLock, a cloud monitoring and defense firm.

To gain further enterprise-level access to the power, attackers embed miner scripts in websites so they can tap the computing resources of many computers without installing malware on each of them, according to Kaspersky Lab. They're also embedding the scripts in YouTube ads to spread them via multiple pages and videos without the attackers having to do anything.

The activity is pervasive: Nearly 49,000 websites host some kind of cryptocurrency mining malware, according to research from the Bad Packets Report. More than four out of five of the sites use Coinhive, which mines for the Monero cryptocurrency. Hackers favor Monero because its transactions are essentially untraceable, and it is still feasible to mine Monero on commodity hardware, unlike Bitcoin, which requires specialized equipment.

What's more, not all of the hacking is benign: In May, 360 Total Security announced that it had discovered malware that it named WinstarNssmMiner, a new form of Monero miner that crashes systems when antivirus products attempt to remove it. 360 Total Security reported during the announcement that it had intercepted WinstarNssmMiner attacks more than 500,000 times over a three-day period.

Any vulnerable application will targeted, and any weakly secured interface will be exploited. Fortunately, preventing most of these attacks simply requires good cyber hygiene, which should include the following steps:

1. Update antivirus signatures and patches. Despite the relatively "new" and "hot" status of cryptomining, these attacks are straightforward. They work just as traditional malware works using slightly modified commodity mining software, and use standard protocols to communicate with mining servers. If your antivirus signatures are current, there is a good chance you will detect infections. The safest course of action is to keep your hosts patched up. Prioritize externally facing hosts and vulnerabilities that have publicly disclosed exploits.

2. Use the latest versions for software and apps. Similarly, if you're deploying the latest version of these products from vendors, you improve the chances of defending your organization from cryptominers seeking to exploit via vulnerabilities in older products.

3. Avoid unauthenticated platforms and application programming interfaces (APIs). By default, they are unsecured, and hackers can manage them remotely. At Alert Logic, for instance, we found attackers targeting exposed unauthenticated Docker Daemon APIs, with the attacker's "haul" totaling 175 Monero, which, at the time, equaled about $35,000. Enabling authentication and not exposing these services directly to the Internet should be your only acceptable deployment strategy.

4. Keep your cloud credentials out of the public side of GitHub. Attackers are aware that a rich source of AWS keys comes from monitoring GitHub. It takes minutes for an attacker to spin up hundreds of instances on your account after an errant commit that includes credentials. Ensure your developers are not using public Github repositories for production or test code in general, and especially not credentials to your cloud infrastructure.

5. Monitor Windows Task Manager. Task Manager will reveal whether your CPUs are going into overdrive. "Normal" utilization for the cloud is up to 80% percent of CPU capacity during working hours. But cryptominers will go full-throttle, seeking 100% utilization 24/7/365. When you see such spikes across your environment, you can safely assume that you have a malware situation.

As shown, this isn't the kind of compromise that should keep you up at night. So far, the impact of cryptomining amounts to more of an annoyance and additional cost burden than anything else. But an infection is an infection, and an exposure that opens the door to these attackers speaks to the overall defense of your entire cyber ecosystem. By addressing the "basics" illustrated in the steps here, you're sending a clear message to cryptominers: There's no money to be made here, so move along.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Matt Downing is a Principal Threat Researcher at Alert Logic. In this role, he investigates the tactics and techniques hackers employ to attack Alert Logic's wide customer base. He has previously held various technical and security roles in the financial sector and Department ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-02-22
Citrix NetScaler Gateway 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5 before build 69.5 and Application Delivery Controller (ADC) 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5...
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc...
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file...
PUBLISHED: 2019-02-22
An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parser...
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcom...