Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/1/2018
10:30 AM
Matt Downing
Matt Downing
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

5 Steps to Fight Unauthorized Cryptomining

This compromise feels like a mere annoyance, but it can open the door to real trouble.

As a CISO or cybersecurity pro, you could notice one day that "something is different" because your users' computers are slowing down. Or — with a little sleuthing — you may discover that your organization's power bill has suddenly soared by hundreds or even thousands of dollars.

At this point, it's possible that cryptominers have compromised your enterprise network and/or web environment. But there is no immediate need to panic. Cryptominers typically aren't looking to steal sensitive data or intentionally disrupt operations. They want to take your computing resources and use them to surreptitiously mine for cryptocurrency.

On the surface, this might seem like a "no harm/no foul" crime. However, the potential for risk is equivalent to that of any botnet, malware, ransomware, or other malicious threat. When cryptominers successfully compromise your network or cloud environment, they are hijacking the resources your organization pays for, while possibly setting the stage for expanded exploitation or, at minimum, evidence that there is a security gap that others could exploit.

Bitcoin's valuation — which peaked at $20,000 in December 2017 — soared, and interest in cryptomining followed suit. Even if the valuations of cryptocurrenices have declined since then, the overall market is projected to reach $1 trillion this year, up from about $417 billion in February.

Hackers keep "borrowing" computing power because it takes plenty of processing power to solve the complex mathematical equations required to create the digital coins. Bitcoin's network alone currently consumes at least 2.55 gigawatts of electricity, and probably will reach 7.67 gigawatts sometime this year, according to research published by Alex de Vries, blockchain specialist for PwC. (To put this in context, the nation of Austria uses 8.2 gigawatts.)

The insatiable need for power drives hackers to infect cloud environments and enterprise networks purely to exploit computing resources. Over the past year, cryptomining hackers have compromised the Amazon Web Services (AWS) and Microsoft Azure environments of organizations such as Aviva, a British multinational insurance company; Gemalto, the world's largest manufacturer of smart cards; and Tesla, the electric vehicle and solar energy manufacturer, according to researchers from RedLock, a cloud monitoring and defense firm.

To gain further enterprise-level access to the power, attackers embed miner scripts in websites so they can tap the computing resources of many computers without installing malware on each of them, according to Kaspersky Lab. They're also embedding the scripts in YouTube ads to spread them via multiple pages and videos without the attackers having to do anything.

The activity is pervasive: Nearly 49,000 websites host some kind of cryptocurrency mining malware, according to research from the Bad Packets Report. More than four out of five of the sites use Coinhive, which mines for the Monero cryptocurrency. Hackers favor Monero because its transactions are essentially untraceable, and it is still feasible to mine Monero on commodity hardware, unlike Bitcoin, which requires specialized equipment.

What's more, not all of the hacking is benign: In May, 360 Total Security announced that it had discovered malware that it named WinstarNssmMiner, a new form of Monero miner that crashes systems when antivirus products attempt to remove it. 360 Total Security reported during the announcement that it had intercepted WinstarNssmMiner attacks more than 500,000 times over a three-day period.

Any vulnerable application will targeted, and any weakly secured interface will be exploited. Fortunately, preventing most of these attacks simply requires good cyber hygiene, which should include the following steps:

1. Update antivirus signatures and patches. Despite the relatively "new" and "hot" status of cryptomining, these attacks are straightforward. They work just as traditional malware works using slightly modified commodity mining software, and use standard protocols to communicate with mining servers. If your antivirus signatures are current, there is a good chance you will detect infections. The safest course of action is to keep your hosts patched up. Prioritize externally facing hosts and vulnerabilities that have publicly disclosed exploits.

2. Use the latest versions for software and apps. Similarly, if you're deploying the latest version of these products from vendors, you improve the chances of defending your organization from cryptominers seeking to exploit via vulnerabilities in older products.

3. Avoid unauthenticated platforms and application programming interfaces (APIs). By default, they are unsecured, and hackers can manage them remotely. At Alert Logic, for instance, we found attackers targeting exposed unauthenticated Docker Daemon APIs, with the attacker's "haul" totaling 175 Monero, which, at the time, equaled about $35,000. Enabling authentication and not exposing these services directly to the Internet should be your only acceptable deployment strategy.

4. Keep your cloud credentials out of the public side of GitHub. Attackers are aware that a rich source of AWS keys comes from monitoring GitHub. It takes minutes for an attacker to spin up hundreds of instances on your account after an errant commit that includes credentials. Ensure your developers are not using public Github repositories for production or test code in general, and especially not credentials to your cloud infrastructure.

5. Monitor Windows Task Manager. Task Manager will reveal whether your CPUs are going into overdrive. "Normal" utilization for the cloud is up to 80% percent of CPU capacity during working hours. But cryptominers will go full-throttle, seeking 100% utilization 24/7/365. When you see such spikes across your environment, you can safely assume that you have a malware situation.

As shown, this isn't the kind of compromise that should keep you up at night. So far, the impact of cryptomining amounts to more of an annoyance and additional cost burden than anything else. But an infection is an infection, and an exposure that opens the door to these attackers speaks to the overall defense of your entire cyber ecosystem. By addressing the "basics" illustrated in the steps here, you're sending a clear message to cryptominers: There's no money to be made here, so move along.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Matt Downing is a Principal Threat Researcher at Alert Logic. In this role, he investigates the tactics and techniques hackers employ to attack Alert Logic's wide customer base. He has previously held various technical and security roles in the financial sector and Department ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4147
PUBLISHED: 2019-09-16
IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 158413.
CVE-2019-5481
PUBLISHED: 2019-09-16
Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
CVE-2019-5482
PUBLISHED: 2019-09-16
Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
CVE-2019-15741
PUBLISHED: 2019-09-16
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. An unsafe interaction with logrotate could result in a privilege escalation
CVE-2019-16370
PUBLISHED: 2019-09-16
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.