Guy Grieve – Channel SE Manager UK&I at LogPoint.

Cryptocurrencies like Bitcoin have been a source of worry since their creation. Fans of the technology say it’s the future of money in terms of privacy, and the verifiability of complex transactions; but there has always been a great debate that the real ‘value’ of cryptocurrency is in the application and use of the currency such as tax avoidance and for purchases of illicit items and services.

While governments, various financial institutes and law enforcement have begun to crackdown on those concerns by attempts to regulate the market place, cryptocurrencies remain as an attractive form of income when linked to malicious activities such as malware infections, increasing the popularity of these strains.

Because they are valuable, digital, anonymous, and work across borders—anyone can send cryptocurrencies to anyone else, anytime or anywhere – they have become an irresistible target for cybercriminals. It’s no accident that the increasing popularity of cryptocurrencies has seen a parallel rise in malware infections that turn laptops and servers into zombie machines, quietly doing the bidding of a distant and remote bitcoin ‘mining’ operation.

Bitcoin mining or Crypto-jacking takes place when someone else uses your computer to ‘mine’ a cryptocurrency like Bitcoin or Ethereum. Rather than benefit yourself, however, any mined (collected) coins go into the attacker’s (or their client’s) account. By crypto-jacking your machine the crypto-jacker steals and utilizes your resources, in the form of your machine processing power and electricity, and converts them into capital for themselves.

Those computing resources include taking over your graphics processing unit (GPU) and central processing unit (CPU). Bitcoin mining is an exceptionally power and resource-intensive task, pushing those processors into overdrive and requiring large amounts of energy to complete the complex calculations necessary to generate a virtual coin. Pushing your machinery to these levels without the correct cooling and provisions in place can easily cost you your pride and joy or witness a loss of productivity in a workplace environment due to hardware failing from overheating challenges.

That’s what motivated a team of Russian scientists to use the supercomputer at a nuclear research facility to run an unsanctioned bitcoin mining operation. It’s also what motivates crypto-jacking. By creating a distributed computing network compromised of hundreds or thousands zombie/compromised machines, they sidestep the upfront costs of a single, expensive super-powered computer, and then pass on the ongoing costs of powering it.

Those costs are passed on to us.

The UK and Australian governments recently suffered website outages thanks to a crypto-jacking malware that infected thousands of government machines. The source of infection was a compromised browser plug-in made by a third-party. Thousands of websites in and outside of Australia, including the UK’s National Health Service, and the UK’s own data protection watchdog, were affected.

Windows machines tend to be the target of crypto-jacking malware, but other devices and operating systems can also be turned into bitcoin mining bots:

  • Mac OS and iOS device, including iPhones
  • Gaming consoles
  • Environment-monitoring devices, used in data centers
  • IoT devices within a Smart Home instance
  • Home WIFI routers
  • Android-run smart TVs and mobile devices

A compromised device is often forced by the malware to run at the maximum of what its components can handle. Mining can slow other processes, overwork cards and processors, or even brick the machine. With degraded capabilities and the connection between the infected host and the command and control server for the crypto mining software being unsecured, the machine can also be vulnerable to infection from other kinds of malware.

While an end user or network admin might realize that a machine is running more slowly than normal, or that CPU usage on the network is high, determining the source of the issue can be difficult. The fact that a crypto-jacked machine is running slowly also makes it harder to investigate. The mining processes initiated by the malware can also mask themselves as normal system tasks.

To stop crypto-jacking, cross correlate network anomalies

Unfortunately, there is no blanket protection against crypto-jacking. As with any malware there are multiple vectors of infection and keeping them out of connected machines is part of the long-term battle against malware.

Security teams should of course, follow standard mitigation techniques – updating antivirus and firewall settings, ensuring all devices are updated with the latest patches, changing or strengthening default credentials, application whitelisting and so on.

But the biggest challenge to stopping crypto-jacking is detection. Proactively monitoring network traffic and machine status can help spot the indicators of infection – spikes in CPU usage, excessive memory usage, network congestion, or servers inexplicably slowing down. However, when seen in isolation, these red flags may not be enough to raise the alarm.

The key is to have network monitoring systems capable of cross-correlating the anomalies. Only then can a system administrator or SOC team can identify the behavioral patterns that point to bitcoin or another cryptocurrency mining. They can then decide on the best approach to stopping it, mitigating the damage, and limiting the size of the energy bill created by the infection.

Securing email gateways, developing countermeasures against web injections, implementing best practice for mobile devices, BYOD (Bring your own device), and promoting a security-aware business culture can all form part of a defense-in-depth against crypto-jacking and other breaches.

Ultimately, however, the security of internet-connected devices against cryptocurrency-mining malware is going to be a top item on the cybersecurity agenda for some time to come.

For more information contact us via [email protected]