Infosec pros know there are any number of signs that despite best efforts an organization’s network security may have been penetrated. According to a new report from the Cyber Threat Alliance, one in particular should set off alarm bells: The presence on any computer of cryptomining software.
“Mining is the canary in the coal mine,” the CTA says in a white paper released Wednesday, “warning you of much larger problems ahead. “CTA members recount case after case of being called in to an incident response for a mining infection and finding signs of multiple threat actors in the network.”
“The presence of illicit cryptocurrency mining within an enterprise is indicative of additional flaws in cybersecurity posture that must be addressed. Most illicit mining takes advantage of lapses in cyber hygiene or slow patch management cycles to gain a foothold and spread within a network. If miners can gain access to use the processing power of your networks, then you can be assured that more sophisticated actors may already have access.”
Cryptomining uses the computing power of devices to solve mathematical problems built by creators of digital currencies for free distribution of coin: Solve a problem, using the number-crunching power of a computer, get free coin. The attraction to criminals is obvious. Hence, cryptojacking: The surreptitious installation of software on other peoples’ computers, websites and even smart phones.
There’s been a tremendous rise of cryptojacking in the past year. In a report released this week, Europol, the European police co-operative, noted that some security vendors say that in the latter part of 2017 cryptomining overshadowed almost all other malware threats.
Evidence on corporate devices of cryptomining software is also prime evidence of a patching problem, says the CTA whitepaper, as criminals use known exploits to plant their malware. The proof? A patch for the Windows exploit called EternalBlue has been available for 18 months, yet, the report says there are still “countless organizations” being victimized to set up mining malware And this vulnerability can be also used by an attacker to move laterally across a network.
In addition to siphoning off corporate computer power and increasing inefficiency, mining software also runs the risk of damaging CPUs/GPUs by maxing out their power. Some malware disables a computer’s sleep and hibernation modes to maximize mining time. These are tell-tale signs of cryptomining. Criminals have caught on, says the report, so more advanced actors configure their mining software to only use 20 per cent of the machine’s CPU, or stop mining when a user moves a mouse.
The report includes a number of recommendations infosec pros can use to fight cryptojacking, including identifying known good traffic and use machine learning or other artificial intelligence technologies to identify non-typical behaviors and provide baselining for legitimate network traffic; watching for abnormal power consumption and CPU activity; and checking system privilege policies and granting administrative privileges only to personnel for whom performing administrative functions
“Fortunately,” says the report, “defending against illicit cryptocurrency mining does not require specialized security software or radical changes in behavior. Instead, individuals and organizations can employ well-known cybersecurity practices to counter this threat.”
The Cyber Threat Alliance is made up of a number of security vendors including Cisco Systems, McAfee, Fortinet, Palo Alto Network and others.