The Cyber Threat Alliance’s latest research found a 459 percent increase in illicit cryptomining malware detections between 2017 and 2018.
And while the 459 percent jump isn’t quite as shocking as Symantec’s numbers — the company said detections of cryptocurrency coin miners grew by a whopping 8,500 percent in 2017 — it should be enough to make companies take notice and do something about it. Plus, the presence of illicit cryptocurrency mining within an enterprise is a strong indicator of other security flaws, said Neil Jenkins, chief analytic officer at the CTA.
“If you’ve got mining happening on your network, you probably have other bad stuff happening on your network, and it’s probably much worse than mining,” he said. “If you can find this, it should be an impetus to really lock down your security posture.”
The CTA is a group of 16 security vendors that share threat information daily. Jenkins co-authored the report along with security executives from CTA member companies Cisco, Fortinet, McAfee, NTT Security, Palo Alto Networks, Rapid7, and Sophos. The authors created the report using this shared threat intelligence.
Cryptojacking was top of mind for security professionals at the year’s two biggest events, Black Hat and the RSA Conference. While 2017 was the year of ransomware, “2018 is moving into the year of cryptomining,” Cisco Talos’ Craig Williams told me at last month’s Black Hat security conference.
But the idea of mining as a security threat is still trickling down to high-level executives at large enterprises, Jenkins said. “Ransomware attacks like the one against the city of Atlanta put ransomware on the radar of most executives and organizations,” he said “I don’t think we are there yet with illicit mining.”
He hopes this report will help move the needle — and make it more costly for illegal miners to do business.
“This is really a problem that network defense is suited to address,” Jenkins said. “I don’t see a lot of law enforcement folks going after cryptomining at this point because it’s such a low-level threat. It’s hard to detect — and that’s the whole point. It’s low-risk from the threat-actor perspective, it’s harder to get caught, and if you do get caught I don’t know that the FBI is going to put the full weight of law enforcement behind it.”
Cryptomining is a cheap and easy way for hackers to make money. It only requires a couple lines of code to operate in addition to stolen processing power and cloud CPU usage.
“What a mining threat actors is really trying to do is get their malware on as many machines as possible and stay there as long as possible,” Jenkins said. “On a per-machine basis they aren’t going to make a lot of money, but the more machines you get on and the longer you sit on them the higher your chances are of making more money.”
More Sophisticated Miners
A spike in cloud bills, or a machine’s CPU or GPU maxing out and damaging IT equipment, may indicate illegal miners on the network. But CTA members found that some attackers are becoming more sophisticated and are getting better at hiding illegal mining activity. For example, some can set the level of computing resources used for mining and some mining malware is only active if the computer is not in use so that the user doesn’t notice a slowdown in processing power.
“You really change the economics of it if you improve basic best security practices,” Jenkins said. “And then you also improve your defense against more sophisticated threats that are using many of the same vulnerabilities and exploiting the fact that people aren’t patching their systems.”
In fact, the CTA analysis found a huge patching problem within numerous organizations. For example, a patch for the EternalBlue vulnerability has been available for 18 months. And even after this vulnerability was exploited in two major global cyberattacks — WannaCry and NotPetya — many companies are still being victimized by this exploit as it’s being used by mining malware such as Adylkuzz and Smominru.
In addition to recommending best security practices, like making sure your patches are up to date and that your workforce isn’t clicking on spear phishing emails, the report also suggests ways to detect and obstruct mining malware. This includes identifying known good traffic and using machine learning to identify atypical network behaviors, monitoring for abnormal power consumption and CPU activity, and regularly reviewing system privilege policies. Companies should also search DNS query logs for mining-specific processes and text strings, such as searching for Bitcoin, Crypto, and Minergate, among others.