Most malware is all about money, and last year’s rise in the value of cryptocurrencies created an incredible opportunity for malware authors. Rather than build botnet armies that they hoped to rent to spammers or distributed denial of service networks, they could build them to directly generate real money and cut out the middleman.
And that’s just what happened: Starting in early 2018, global spam volumes dropped by nearly 50 percent as botnets around the world were repurposed as cryptominers. Cryptomining became a big business that continues unabated.
For businesses, cryptominers represent a novel type of threat, as they don’t seek to harm corporate networks. The goal is to quietly hijack corporate resources for as long as possible to make money.
Here’s how to spot cryptomining activity within your network — and what to do about it.
In-Browser Cryptomining Poses a New Challenge
Cryptomining is just another kind of malware, which means that the normal tools you deploy to block and clean up malware infections are still helpful. However, in-browser cryptomining presents some new challenges because not every anti-malware tool is able to detect and block in-browser attacks. IT managers should review their anti-malware tool lists and work with software authors to be sure that their preferred products are offering the coverage they need for both traditional malware and in-browser mining tools.
Another gut punch, especially for small-business IT managers: In-browser mining is cross-platform, which means that macOS and Linux users are just as much at risk as those on Windows. Now is the time for business IT managers who have not installed anti-malware tools on Mac and Linux to reconsider.
Cryptomining Signs Are Subtle to Businesses
For the biggest and oldest cryptocurrencies, such as bitcoin, there’s not enough computing power even in a building full of PCs to make any money. Even newer cryptocurrencies are slow to mine on a standard PC. This means that miners need to have a lot of PCs working simultaneously over long periods of time.
Their strategy is not to harm the network but to settle in and take as many resources as discreetly as possible. Signs of cryptomining will be subtle, such as slower PCs, systems that don’t go to sleep at night and browsers that don’t act like they used to.
IT managers should brief their help desks on this new threat, along with conducting end-user training and sending alerts. Yes, you’ll get some false alarms, but you’re looking for fainter and more delicate signs.
Network-Based Protections Can Help Thwart Cryptominers
Cryptominers need to communicate with each other and a command and control center in order to mine effectively; therefore, network-level protections disrupt the chain and block the conversion of electricity to cash.
A network-based intrusion prevention system identifies outbound connections to cryptomining domains and blocks them, provided that the network IPS has added the approximately 2,000 browser-based cryptomining command and control domains and associated applications to its signature database.
IT managers should review their network-based IPS protections and verify that in-browser mining command and control is being properly detected.
Some Domain Name System–based filtering services advertise their ability to block connections to malicious domains in order to act as a complement to an IPS.
To use them, IT managers configure the public resolvers into their Dynamic Host Configuration Protocol servers and firewalls, and end-user PCs get a “no such domain” message when trying to look up command and control services.
Now might be the time to look into these types of services to help protect against all types of malware, including cryptomining.
IT managers who have already chosen to implement DNS-based filtering should enable filters on cryptomining categories for their users.
However, remember that simply blocking access to the command and control domains doesn’t actually solve the malware problem — systems are still infected, and users are still engaging in risky behaviors.
An IPS block on command and control needs to be accompanied by some action. Security teams should regularly review IPS logs and combine the review with end-user notification about when and why a block occurred. This is the only way to actually change user behaviors, help users understand what’s wrong with their personal computers and give them the information they need to solve the problem.