Current eMessage > Technical Information > May 2018

Technical Information

Avoid Becoming a Crypto-Mining Bot: Where to Look for Mining Malware and How to Respond

There’s a lot of speculation in cryptocurrency right now. People are mining coins all over the place, and even though it’s getting harder and harder to make money mining coins, interest is still high. All it costs is money for the power bill.

Why is This Important? What’s the Deal?
It’s sort of funny; there’s a feeling that cryptomining malware isn’t malicious, and therefore it must be really hard to find. But look closer. The assets being attacked in the cryptomining threat are:

  • System integrity
  • Compute
  • Power

Yes, that’s less harmful than ransomware or APT, but in the end, it’s still just malware, and you use the same methods to find cryptomining malware as you do anything else. But let’s concentrate on three that are specific to this situation.

How to spot mining malware:
Method #1 – Monitor the Network
Miners typically use mining pool platforms. Stratum, for example, likes ports 3333, 1333, 8333, etc. Decent “established-only” SNAT firewalls should block incoming mining requests. For outbound stratum connections, you should be getting alerts on network anomalies like these using the same tools you’d use for outbound inspection of any other type of malware. Note that many of these connections will be encrypted and may require SSL inspection where possible.

Peer-to-peer (P2P) mining pools may use DNS to locate other hosts. If you’re lucky enough to have a threat feed that includes common pool servers as Indicators-of-Compromise (IOCs), great. But if you don’t, use one of the ones listed below or find the malware another way. When you find it, check its config for “pool_address” and then watch for other machines on your network connecting to it. That will lead you to more infections.

Prevent employees running their own hardware cryptominers at their desks. The most powerful policy you can adopt is the one used by the most secure networks today; don’t let unknown MAC addresses on your network. Yes, this is harder than just looking the other way, but for god’s sake people, it’s 2018 we need to get our heads out of the sand. If that’s too much of a challenge for now (and I get it, not everyone has a fully-staffed security team), an addendum to the company policy is appropriate, as is an email as a start.

Method #2 – Monitor the Servers
Recall from our threat list that power is the third asset under attack in the threat surface. You’re already monitoring your servers. Make sure you’re monitoring their CPU usage and temperature. Many data centers monitor fan speed, a jump of which is another indicator of compromise. If any machine goes to 100% in the middle of the night and stays there, well that’s suspicious and should be checked out. Even if a malicious miner is not consuming 100% of the CPU, the load itself will likely stay constant versus sawing around, so monitor for that.

Mature tools can tell you if new files have been installed on servers; maybe it’s time to revisit TripWire if you haven’t lately.

Method #3 – Protect Users via Block Lists
Drive-by cryptomining is JavaScript that affects browsers. Imagine a user visiting a site that hosts malicious JavaScript. The script mines coins while the user is on the site. The user’s system integrity isn’t affected, but her CPU is, and so is her power consumption. MalwareBytes wrote about variants that keep the mining going even after the user has closed the browser, which is really rude.

Fixing this problem is harder for administrators; most don’t monitor network, CPU usage, or fan speed for their users, especially for remote users.In these cases, try to block access to sites that host mining JavaScript.

Conclusion – Get Back to the Basics
Take a step back and realize that cryptocurrency mining is really just another form of malware, which is something you should be good at finding already. Look at graphs, just like you always do, for DDoS, or malware, or anything else. Find the anomalies and track them down. It’s the same with cryptomining.

Get back to the basics.

Article by David Holmes in Security Week
Click here for the full article here:

We take security very seriously at MACC and have been working hard to develop a culture of security awareness. We are committed to offering our best to help you strengthen your defenses. If you have any questions or if there is anything we can do for you, please don’t hesitate to contact your MACC Tech Support Team and we will be happy to help! We can be reached at 402-533-5300 or via email at [email protected].

MSaaS Fact Sheet  Return to current eMessage

Have a technical question?

We would love to hear from you! Use the form below to submit your questions and comments and we will include them in our monthly newsletter articles.

Fill out my online form.

MACC Challenge

February 2018
Meltdown and Spectre exploits

2017 Articles

December 2017
I’ve been hacked! Now what?

November 2017
Cybersecurity 2.0

October 2017
Open Sesame!

September 2017
Learn how to keep your data safe

August 2017
More than a buzzword

July 2017
What is a DDOS attack?

June 2017
Ransomware is in the news again!

May 2017
Tech Support has your back

April 2017
Beware of ransomware for hire

March 2017
Air gapped backups

February 2017
Tired of Ransomware?

2016 Articles

November 2016
Do you have Tape-itis?

October 2016
MBTC Tech Booster Recap

September 2016
Workplace wireless technologies

August 2016
Steps to improve your cybersecurity

July 2016
Windows 10 upgrade info

June 2016
Is an old server saving money?

April 2016
Router security

February 2016
A back-up is the best defense