Avoid Becoming a Crypto-Mining Bot: Where to Look for Mining Malware and How to Respond
There’s a lot of speculation in cryptocurrency right now. People are mining coins all over the place, and even though it’s getting harder and harder to make money mining coins, interest is still high. All it costs is money for the power bill.
Why is This Important? What’s the Deal?
It’s sort of funny; there’s a feeling that cryptomining malware isn’t malicious, and therefore it must be really hard to find. But look closer. The assets being attacked in the cryptomining threat are:
- System integrity
Yes, that’s less harmful than ransomware or APT, but in the end, it’s still just malware, and you use the same methods to find cryptomining malware as you do anything else. But let’s concentrate on three that are specific to this situation.
How to spot mining malware:
Method #1 – Monitor the Network
Miners typically use mining pool platforms. Stratum, for example, likes ports 3333, 1333, 8333, etc. Decent “established-only” SNAT firewalls should block incoming mining requests. For outbound stratum connections, you should be getting alerts on network anomalies like these using the same tools you’d use for outbound inspection of any other type of malware. Note that many of these connections will be encrypted and may require SSL inspection where possible.
Peer-to-peer (P2P) mining pools may use DNS to locate other hosts. If you’re lucky enough to have a threat feed that includes common pool servers as Indicators-of-Compromise (IOCs), great. But if you don’t, use one of the ones listed below or find the malware another way. When you find it, check its config for “pool_address” and then watch for other machines on your network connecting to it. That will lead you to more infections.
Prevent employees running their own hardware cryptominers at their desks. The most powerful policy you can adopt is the one used by the most secure networks today; don’t let unknown MAC addresses on your network. Yes, this is harder than just looking the other way, but for god’s sake people, it’s 2018 we need to get our heads out of the sand. If that’s too much of a challenge for now (and I get it, not everyone has a fully-staffed security team), an addendum to the company policy is appropriate, as is an email as a start.
Method #2 – Monitor the Servers
Recall from our threat list that power is the third asset under attack in the threat surface. You’re already monitoring your servers. Make sure you’re monitoring their CPU usage and temperature. Many data centers monitor fan speed, a jump of which is another indicator of compromise. If any machine goes to 100% in the middle of the night and stays there, well that’s suspicious and should be checked out. Even if a malicious miner is not consuming 100% of the CPU, the load itself will likely stay constant versus sawing around, so monitor for that.
Mature tools can tell you if new files have been installed on servers; maybe it’s time to revisit TripWire if you haven’t lately.
Method #3 – Protect Users via Block Lists
Conclusion – Get Back to the Basics
Take a step back and realize that cryptocurrency mining is really just another form of malware, which is something you should be good at finding already. Look at graphs, just like you always do, for DDoS, or malware, or anything else. Find the anomalies and track them down. It’s the same with cryptomining.
Get back to the basics.
Article by David Holmes in Security Week
Click here for the full article here: https://www.securityweek.com/avoid-becoming-crypto-mining-bot-where-look-mining-malware-and-how-respond
We take security very seriously at MACC and have been working hard to develop a culture of security awareness. We are committed to offering our best to help you strengthen your defenses. If you have any questions or if there is anything we can do for you, please don’t hesitate to contact your MACC Tech Support Team and we will be happy to help! We can be reached at 402-533-5300 or via email at [email protected].
Have a technical question?
We would love to hear from you! Use the form below to submit your questions and comments and we will include them in our monthly newsletter articles.
Meltdown and Spectre exploits
I’ve been hacked! Now what?
Learn how to keep your data safe
More than a buzzword
What is a DDOS attack?
Ransomware is in the news again!
Tech Support has your back
Beware of ransomware for hire
Air gapped backups
Tired of Ransomware?
Do you have Tape-itis?
MBTC Tech Booster Recap
Workplace wireless technologies
Steps to improve your cybersecurity
Windows 10 upgrade info
Is an old server saving money?
A back-up is the best defense