Cryptocurrency mining relies on the computational power of the system used to create the currency and process the transactions. Many are realizing that the computational power, which requires a huge investment, is at a premium.
As with any activity that can potentially yield big money, people are looking to exploit the process without the investment. Cryptocurrency pirates are happy to steal computational power to do it, and they don’t care who they hurt in the process.
On-premise and cloud-based resources are being targeted by these hackers, who will look for the weakest link to install and propagate their mining software.
X Marks the Spot
In many ways, gaining access to a company’s cloud-based resources may be as effective and perhaps more efficient than amassing a large number of on-premise systems. Hackers aren’t fussy and will target any server that doesn’t have solid security controls, regular security auditing, or the adoption of more fine-grained network access controls.
Unsurprising then that these pirate miners are looking for over-privileged users and unsecured networks to compromise.
Having tunneled in, they will then abuse a security flaw to spread their mining malware, like Karbowanec and Monero. Recently a new malware was seen [dubbed GhostMiner] that’s fileless and includes innovative coding capable of removing competitor malware from an infected network.
Weakened Foundations
Each unauthorized crypto-mining exploit can result in a loss of productivity, network bandwidth degradation and even have a negative impact on operational costs. However, there are more weighty issues centered around the failure of security best practices.
For example, if a crypto-miner can exploit corporate systems to install mining bots, the company is likely vulnerable to more malicious malware attacks.
Another, often overlooked, aspect of crypto-mining is the enormous impact to infrastructure resources they consume. Power, cooling, and hardware over-utilization costs must also be factored into damage calculations.
For IT departments managing in-house servers, or paying a spiking AWS or other hosting bill, shutting out pirate miners is a priority.
Time for Mining Malware to Walk the Plank
To stop these resource-stealing miners, companies should consider implementing as many safeguards as is practical to increase the potential for detection and mitigation:
Build secure - Building servers securely from the start requires standard security practices like anti-virus and centralized logging. Many companies attempt to bolt-on advanced security solutions instead of building securely. For example, all cryptominers need to exfiltrate data, and data in this case is money derived from exploiting resources. Often companies work to protect inbound access to high value systems without holding outbound access to the same standards. Software-Defined Perimeter (SDP) solutions and proper network access controls can ensure that even if a system is compromised, it cannot reach out to the Command and Control (C2) for instruction sets or exfiltration.
Basic security hygiene - Even the most evasive malware relies on a vulnerability to gain a foothold - be it through an unpatched system or a user susceptible to phishing. Staying up to date on vulnerabilities in the software employed is often the best method to thwarting opportunistic attacks. However, cybersecurity training, risk awareness, and targeted threat comprehension are just as important.
Trust no-one - Beyond this basic hygiene, a more strategic approach, like a zero-trust model, is essential. Zero trust means exactly that; assume that anyone attempting to access the network shouldn’t be trusted unless they can prove otherwise. The zero-trust model stipulates that all connections be secured and protected, implementing ‘least privilege’ access control for all users.
Detect – Detection can be tricky. Advanced cybersecurity solutions offer more than signatures for known malware specimens, including the detection of a process attempting to access other processes or escalate privileges for nefarious activity. These solutions often require humans on the back end, ready to verify threats and respond to compromises. Cryptominers’ core functionality is computational, heavily relying on CPU and GPU components to generate cryptographic hashes. Implementing monitoring solutions that profile system usage over time would likely detect spikes and higher overall processor usage.
Defend – In many cases, these attacks take advantage of vulnerabilities that should be resolved by vendor updates. A diligent patch management program is a requirement in today's threat landscape. Additionally, companies need to ensure computer and network data is collected, monitored and analyzed to identify and respond to threats in their environment.
Basic desktop and device security is an absolute bare minimum requirement in this age of cyber warfare. Devices that do not address basic security best practices are ripe for exploitation. Cryptomining attacks are not going away anytime soon, and attackers continue to become more sophisticated in their attacks.
Rather than waiting for pirates to storm the network and steal computational powers, it’s time to batten down the hatches and leave them all at sea.