#Infosec19: DNS Security Could Be a Match for Crypto-jacking

Written by

DNS security tools can offer IT teams a useful way to detect and prevent illegal cryptocurrency mining on their networks, according to Infoblox.

The security vendor’s consulting solutions architect, Chris Marrison, told attendees at Infosecurity Europe today that rapid technology advances over the past couple of years have taken the industry from the digital equivalent of panning for gold to pit mining in a very short space of time.

“However, the cheapest way to access computing power with the best RoI is not to pay for cooling, power or CPUs at all,” he added.

So-called crypto-jacking has emerged as a favorite way for hackers to make money, by handing off the power- and CPU-intensive task of mining for digital currency to infected hosts.

According to Trend Micro, detections peaked last year at over 1.3 million — a 237% increase from 2017.

Although the end of notorious mining tool Coinhive earlier this year seems to have led to a decline in attacks targeted consumers, they’re still on the rise against enterprises.

Crypto-jacking enabled by malware infections is more serious for organizations than in-browser attacks, warned Marrison.

“Using your PC without your consent is one thing, but infections with malware means you’re compromised. In future, this machine is effectively a zombie which could be used for additional malicious activity,” he claimed.

Crypto-mining malware activity can be hard to spot as there’s no attempt to steal data; infections can be spread out across desktops, servers, mobile devices and IoT endpoints; and traffic is difficult to differentiate from legitimate traffic.

However, DNS offers an opportunity to shine a light on such threats, according to Marrison.

By monitoring this channel with specialized tools, organizations can spot attempts by hosts to connect to known crypto-mining malware distribution sites, and detect communications between infected clients and C&C domains, he argued.

DNS tools can also be used to spot fast flux and DGA techniques which rapidly change the C&C’s IP address in a bid to avoid detection. These capabilities should be built into a defense-in-depth approach to cybersecurity including best practice controls such as AV, firewalls and more, Marrison concluded.

What’s hot on Infosecurity Magazine?