Ransomware? Please, that’s so 2017. Today’s cool kid hackers, and the most sophisticated threat actors, have evolved their methods and are now focused on illicit cryptomining as the easiest, most profitable new way to take advantage of organizations. Illegal cryptomining, utilizing the compute resources of unsuspecting enterprises, benefits from increasingly anonymous cryptocurrencies, new and evolving cryptocurrency mining software, and millions of unsuspecting targets who may not be aware or care that they’re being used for their electricity and compute power. But for IT departments managing in-house servers, or paying a spiking AWS or other hosting bill, the problem is very real.  

Mining cryptocurrency is all about ‘borrowing’ the computational power of systems. Both on-premises and cloud-based resources are likely to continue to be targeted by hackers, who will look for the weakest link to install and propagate the mining software. In many ways, gaining access to a company’s cloud-based resources may be as effective and perhaps more efficient than amassing a large number of on-premises systems, but hackers are likely to target any server that doesn’t have solid security controls, regular security auditing, or the adoption of more fine-grained network access controls to help to prevent the spread of malware within an organization. So how can organizations detect this problem, and prevent their servers from being used in the future to mine cryptocurrency? 

  • Detect – Detection can be tricky. Advanced cyber security solutions offer more than signatures for known malware specimens, including the detection of a process attempting to access other processes or escalate privileges for nefarious activity. These solutions often require humans on the back end, ready to verify threats and respond to compromises. Cryptominers’ core functionality is computational, heavily relying on CPU and GPU components to generate cryptographic hashes. Implementing monitoring solutions that profile system usage over time would likely detect spikes and higher overall processor usage.
  • Defend - To protect against a wide variety of cryptomining and other unknown malware, companies should consider implementing as many safeguards as is practical to increase the potential for detection and mitigation.   In many cases, these attacks take advantage of vulnerabilities that should be resolved by vendor updates. A diligent patch management program is a requirement in today's threat landscape.  Additionally, companies need to ensure computer and network data is collected, monitored and analyzed to identify and respond to threats in their environment.
  • Build secure - Building servers securely from the start requires standard security practices like anti-virus and centralized logging. Many companies attempt to bolt-on advanced security solutions instead of building securely. For example, all cryptominers require means to exfiltrate data, and data in this case is money derived from exploiting your resources. Often companies work to protect inbound access to high value systems without holding outbound access from these systems with the same regards. Software-Defined Perimeter (SDP) solutions and proper network access controls can ensure that even if a system is compromised, it cannot reach out to the Command and Control (C2) for instruction sets or exfiltration. While you may end up having dormant malware on these systems, local Anti-Virus and Anti-Malware solutions will eventually receive updated signatures to detect the dormant malware and remove it from the system.
  • Basic security hygiene - Even the most evasive malware relies on a vulnerability to activate, be it through an unpatched system or a user susceptible to phishing. Staying up to date on vulnerabilities in the software you employ is often the best method to thwarting opportunistic attacks. However, cyber security training, risk awareness, and targeted threat comprehension are just as important.  

Cryptomining attacks are not going away anytime soon, and attackers continue to become more sophisticated in their attacks, using fileless miners and native applications to execute malicious code in memory.  Leaders in cyber security are working diligently to ensure new solutions include capabilities to monitor and detect for this activity. Offerings in this marketplace will continue to grow and become more affordable to a wider audience. It is often said that for every step the good people take, the bad people take two. While this may sometimes be true, our job is not always about keeping up with them. Our adversaries often work in silos, where as we work together to innovate new solutions which limit their ability to compromise networks.