A look into the dangers of allowing unauthorized cryptomining in a network environment.
There is little difference between cryptomining software a user installs, and the cryptomining software installed by a malicious actor.
By far the most prominent money-making threat scheme of 2018 was malicious cryptomining. This is a topic the Cisco Talos threat intelligence group has been researching for some time. To the mind of an attacker, it’s almost the perfect crime: Miners often work in the background without the users’ knowledge, stealing their computing power while generating revenue for the attacker.
As enterprises became better at dealing with ransomware, and law enforcement agencies throughout the world began to crack down on ransomware attackers, more and more adversaries were drawn to the less risky prospect of peddling malicious cryptomining software.
There is often little to no difference between cryptomining software that a user installs on their own and cryptomining software installed by a malicious actor. The nuance lies in consent; malicious cryptomining software is running without the owner’s knowledge. There is an obvious appeal to attackers in this case – where they can reap the benefits without the victims' knowledge.
In the game of risk and reward, cryptomining is less likely to draw the attention of law enforcement. Conversely, any software that runs on a device without the owner’s knowledge is a cause for concern.
And cryptomining – malicious or otherwise – can pay well. Over the past couple of years, and into the first half of 2018, the value of cryptocurrency skyrocketed. As with anything software-related and valuable, malicious actors took notice, especially as it coincided with a decline in ransomware. And cryptomining yields recurring revenue, whereas ransomware usually results in a one- time payment from the victim.
From the perspective of the defender, there are plenty of reasons to be concerned about malicious cryptomining. Like any piece of software on a computer, cryptomining will have a negative impact on overall system performance, and will require extra power. It may not add up to much on one system, but multiplying the cost over the number of endpoints in an organization, you could see a noticeable rise in power costs.
Furthermore, there may be regulatory compliance implications when cryptominers are earning revenue on corporate networks. This holds especially true for those in the financial sector, where strict rules could apply to revenue generated using corporate resources, whether or not those in charge are aware of the practice.
But perhaps most worrying is that the presence of a malicious cryptomining infection, unbeknownst to those running a network, could point to security holes in the network configuration or overall security policies. Such holes could just as easily be exploited by attackers for other means. In essence, if a cryptomining infection is found on a network, what’s to stop other malicious threats from exploiting those same vulnerabilities to carry out further malicious activity?
While there have been sharp peaks and valleys, in the overall volume of cryptomining- related traffic that Cisco has witnessed on the DNS layer, the takeaway is that cryptomining is trending up as time goes on.
Figure 3 Corporate DNS cryptomining traffic volume
What is interesting is that the values of many popular cryptocurrencies have declined during the same time frame, trending downwards. Take Monero for instance, a popular coin used in malicious cryptomining.
Figure 4 Monero closing values
Malicious actors are continuing to push malicious cryptomining out because of the ease of deployment and the low risk if discovered. The fact is, once it’s installed on a device, it continues to earn the malicious actor money so long as it remains.
There are various ways that malicious cryptomining can find its way into your environment, such as:
An internal malicious actor
Unfortunately, malicious cryptomining is here to stay for the foreseeable future. Distributors of spam will likely continue to send cryptomining threats.
Money is and likely always will be one of the chief motivators for malicious actors. In many ways, malicious cryptomining can be seen as a way for attackers to make a fast profit with little overhead. This is especially true since targets are less worried about the implications of cryptomining on their devices as compared to other threats. It’s a perfect situation for wolves to dress as sheep and watch the profits roll in.
The presence of cryptomining, unbeknownst to network adminstrators, could point to other security holes in the network.
For this report, we looked at a wide variety of threats to include. While not everything made it into the report, we plan to visit the following topics in the coming months through our Threat of the Month blog series. Here’s a taste of what’s to come:
Digital extortion. One of the more insidious phishing campaigns of late has preyed upon recipients’ fears in order to extort Bitcoin payments. Some campaigns claim that they caught the recipient on camera looking at pornographic web sites. Others include fake bomb threats. Ultimately, the threats are completely fabricated, all in the hopes of tricking enough recipients into filling the attackers’ Bitcoin wallets.
Office 365 phishing. Another significant phishing campaign centers around stealing credentials from Microsoft Office 365 accounts. Attackers have used a number of methods to do so. We’ll outline different campaigns and how to recognize them in our upcoming blog post.
To stay abreast of our Threat of the Month blog series, be sure to subscribe to our mailing list and visit the Threat of the Month page.
Subscribe Threat of the Month
https://blogs.cisco.com/security/cryptomining-a-sheep-or-a-wolf https://blog.talosintelligence.com/2018/12/cryptocurrency-future-2018.html
https://blog.talosintelligence.com/2018/12/cryptomining-campaigns-2018.html