5 Questions on Cryptomining Answered with Bryan York of CrowdStrike

Security and regulation questions are already clouding the conversation around cryptocurrencies. Hackers have shown no end to their fascination with the often untraceable and valuable digital forms of payment. Now, it seems that hackers are threatening your enterprise’s productivity and endpoint security by using your networks to mine cryptocurrency.

But what does that mean? And how can it affect your enterprise? We asked Bryan York, Director of Services at endpoint protection solution vendor CrowdStrike, 5 questions about this new trend in cybersecurity threats.

1. First what is cryptocurrency mining, or cryptomining? Why has it seen an increase recently?

Cryptomining is the process of verifying transactions within a blockchain. Blockchain is the underlying technology that cryptocurrencies run on. Historically, we’ve relied on centralized banks to facilitate money transfers, but the idea behind cryptocurrencies is to leverage the blockchain to remove this middle man so individuals can transfer virtual money in a peer-to-peer fashion with no transaction fees. What blockchain does is distribute its data across thousands of cryptomining computers responsible for verifying transactions. In return for lending computing power to verifying these transactions, these cryptominers are rewarded with cryptocoins.

CrowdStrike has seen an uptick in cryptomining as a result of the increased interest among the general public around cryptocurrencies like Bitcoin. As more people become interested in speculating/investing in these markets as well as leveraging cryptocurrencies as a legitimate form of payments for goods, there are more transactions to verify, or mine.

More specifically, we’ve seen an uptick in unauthorized cryptomining, also called cryptojacking.  Cryptojacking functions by an attacker first gaining unauthorized access to a computer and installing malware designed to mine cryptocurrencies.

We’ve observed specific interest by cyber criminals in mining the Monero cryptocurrency.  Bitcoin is becoming more difficult to mine and currently requires specialized hardware to mine, which can be expensive. Conversely, Monero can be mined on a traditional computer. This makes individual systems a more lucrative target for Monero mining. We also believe this uptick in Monero mining is due in part to the anonymity and privacy Monero provides.

While cryptocurrencies, like Bitcoin, publish transaction data to the blockchain in a way that makes it possible (though difficult) to track down accounts and amounts associated with a transaction, Monero keeps that information between the two users involved in the transaction. Monero also enforces one-time addresses combined with private key cryptography to provide further anonymity. This has made Monero transactions associated with illicit activity more difficult for law enforcement to tie to an individual. If a cybercriminal wants to enjoy their profits from cryptojacking, they’d prefer to stay out of jail. Monero can offer the level of anonymity to do that.

2. Why should enterprises be worried about cryptomining compromises on their endpoints and networks? What could happen if such an algorithm sneaks into a corporate system?

While cryptocurrency mining has typically been viewed as a nuisance, CrowdStrike has recently seen several cases where mining has impacted business operations, rendering some companies unable to operate for days and weeks at a time; the tools have caused systems and applications to crash due to such high utilization of system resources.

Silent cryptomining attacks are also costing businesses money. It’s expensive to mine cryptocurrencies, and attackers know that if they can get someone to pay for high-powered servers and the electricity it takes to run a cryptomining operation their criminal enterprise can become increasingly more profitable. Essentially, these criminals are able to increase revenue via cryptomining at no additional cost to them.

In addition to the cost of computing power to an organization, a system compromised with cryptomining software indicates broader security issues. In the case of cryptomining, an attacker was able to get software onto the system undetected. Unless the IT team patches the hole in the network, an organization may be vulnerable to a variety of other attacks like ransomware.

3. What are the signs/symptoms of a cryptomining compromise on an enterprise’s system or endpoint?

The most obvious sign of cryptomining to an end user is a system running abnormally slow.  While many cryptominers throttle computing power usage, the system will still be running at a higher than normal rate. If a system seems to run slowly when visiting a particular website or if all programs are closed, and the system is still running at high rates, that is a sign that the computer could be mining cryptocurrency.

Some more advanced endpoint technologies also offer the ability to identify and block cryptocurrency mining software. This generally requires running next-generation antivirus on your system that’s programmed to identify and prevent suspicious behaviors.

4. How can a cryptocurrency mining algorithm be detected and prevented? What makes them so difficult to detect?

We’ve observed a trend toward cryptocurrency miners becoming increasingly more sophisticated by employing techniques that were, at one time, only available to nation-state actors.  For example, the WannaMine Monero miner leverages the EternalBlue exploit, popularized by WannaCry and also leveraged in NotPetya, to propagate throughout a network.  WannaMine is also “fileless”, meaning it runs only in memory, making it difficult for legacy antiviruses to detect and prevent.  What enables this malware to be fileless is its use of legitimate programs that are already on systems, like WMI and Powershell, in a malicious fashion by loading malicious code into memory on a system and using those legitimate applications to run the malicious code.

5. What best practices should enterprises employ for dealing with cryptomining programs?

Organizations hoping to prevent their computers from being hijacked to mine cryptocurrency can do several things to protect themselves.

First, enterprises can implement good security hygiene practices like strong endpoint protection to prevent cryptocurrency mining malware. Additionally, it is best to keep systems patched and up to date, protect privileged accounts, implement multifactor authentication for remote access, and architect network segmentation to make it difficult for attackers to gain access to systems for the purposes of cryptomining.

Users can protect themselves by installing next-generation antivirus on their systems, using ad blockers, disabling JavaScript, using browser extensions specifically designed to prevent cryptomining when browsing the web, and staying vigilant for any indications that their system may be running slowly for no apparent reason.

Thanks again to Bryan York of CrowdStrike for his time and expertise!