How to protect your endpoints from “creepy crypto miners”
Here’s what’s creepy about cryptocurrency mining threats. It can lead to the slow death of your computers – capable of literally melting smartphones in some cases – by overworking the CPU beyond its normal capacity. It can trigger massive spikes in your electric bill. It is capable of taking productivity (even mission-critical operations) down to a tailspin as system performance gets extensively degraded. It can compromise the security of sensitive data on your systems. Worse, all of these can go on unnoticed for long periods of time. Your endpoints are at risk. So, the question then becomes, “How do you protect them from the crippling effects of unwanted cryptocurrency mining (crypto mining)?”
The Threat of Illicit Crypto Mining
Money Matters When It Comes to Crypto Mining
For cybercriminals, what’s not to like about crypto mining? Unlike ransomware, it is stealthier and can be harder to detect – without all the hassle of demanding ransoms. Besides, a steady revenue stream can be extremely promising, especially when thousands of systems are pooled together. Here’s how.
When mining for cryptocurrency, the average personal device can generate about $0.25 a day. Not a lot until you start pooling systems together, then your money-making potential skyrockets fast. Your gain rises drastically more when hash rate – the speed at which a given mining machine operates – and power consumption surge. In one campaign seen by Cisco Talos, an attacker was generating about $704 daily or $257,000/year using exploited endpoints. Five other related illicit campaigns were spotted at the same time, collectively amassing over $1 million. With illicit crypto mining, churning real profits without the messy maintenance typically found in other forms of cybercrimes, you can bet we are going to see more in the future.
Attack Vectors: How Malicious Crypto Mining Can Get Onto Your Endpoints
Threats from crypto mining can reach your end users in multiple ways, including: email spam campaigns, exploit kits and rouge browser content/extensions. These real-life accounts of activities associated with cryptocurrency mining show you where to keep a watchful eye on:
- Email. An attacker launched an email campaign spoofing a job application. The email contained a Word document appearing to be a resume, enticing the receiver to enable macro content. Doing so triggers the download of the Monero miner.
- Exploits. Malicious crypto mining activities were seen leveraging vulnerabilities in technologies like Adobe Flash, while others use malware delivery channels like smokeloader, a part of the RIG The significance of this exploit is its ability to run for months (if not years) on infected systems. Further, if an exploit has already been exposed why not use it? Case and point, EternalBlue, used to exploit vulnerabilities in SMB for the well-known Ransomware campaign WannaCry, is now being used to launch illicit crypto mining processes.
- Fileless and other modes. Attackers resort to other infection vehicles like code injection by exploiting browser plug-in vulnerabilities, trusted system processes, and websites that embed JavaScript. This allows for crypto mining in the web browser.
Prevention, Detection, and Response
Don’t Be a Victim: Three Ways to Protect Your Endpoints
Attackers go after various targets, using different methods of infection. So, make sure to guard against crypto mining threats targeting vulnerable devices. Use practices and tools to help you prevent, detect, and respond to unwanted crypto mining at the endpoints.
Prevent: Block Crypto Mining Threats
With computing resources as a valued target, crypto mining attacks ultimately creep onto the endpoint where those treasured assets are hosted. Therefore, blocking and preventing those hard to spot crypto mining threats before they get to your endpoints is essential. You can do this by leveraging various preventative engines beyond traditional signature-based antivirus, and applying advanced capabilities like fileless/in-memory exploit prevention, and advanced sandboxing to name a few.
Detect: Continuously Monitor for Malicious Crypto Miners
We know that threats and attacks can’t be prevented 100% of the time. So, it’s important to have visibility into what happens after a file has successfully entered your business environment. You can do this by continuously monitoring and analyzing file, process, and command line activity on the endpoint. This is where the ability to correlate disparate events and send alerts when crypto mining activity is detected becomes crucial. Alerts must be correlated and triggered based on behavior related to propagation as an attacker (or the payload) tries to move through the network, establishing persistence, and making outbound connections to the cryptominer’s infrastructure.
Respond: Stop the Threat at Its Tracks
When the presence of unwanted cryptominers is detected on your endpoints, responding rapidly to contain the threat becomes imperative. Here’s when you need your threat responses to be automated, blocking malicious connections emanating from all endpoints. This surgical approach to containing illicit crypto mining minimizes any associated collateral damage to the business.
How Cisco Can Help Protect Your Endpoints From Crypto Mining Threats
When you’re up against malicious cryptocurrency mining, traditional protection doesn’t cut it. Cisco’s next-generation endpoint security solution, AMP for Endpoints, prevents, detects and responds to malicious crypto mining and other threats that legacy solutions miss. For years, AMP for Endpoints has been scanning and blocking files at the point of entry, running every file through multiple layers of protection and detection engines – employing more advanced techniques like behavior-based detection, dynamic file analysis, machine learning based detection, and exploit prevention to name a few – to stop the plethora of threats.
However, as threats evolve and get even more clever, some of them evade these safeguards. Uniquely fit for this challenge, AMP for Endpoints is continuously monitoring files on your endpoints. If and when that file begins to show suspicious behavior, like in the case of malicious crypto mining activity, AMP for Endpoints will not only retrospectively quarantine the offending files but will deliver the full history of the threat, showing you exactly how the file got in, all the places it has been, and every account of all of its activities – automatically! AMP for Endpoints does the heavy lifting on your behalf. It automatically delivers a comprehensive account and detailed timeline of the threat fast, drastically slashing the time that you would usually burn investigating a threat and applying remedies to affected systems. Intelligence gained from this threat is shared with the AMP cloud, updating all other Cisco security products within your environment. This distinctive approach allows you to see a threat once, and automatically block it in all places.
Get started for FREE today with Cisco AMP for Endpoints to stop unwanted crypto mining at its tracks – with a NSS Labs recommended next generation endpoint security solution.
Curious to know little more. Wondering unless the hacker is successful in running entire blockchain on the infected computer, will he really exploit and use the compute power of the endpoint? (unless entire blockchain is installed and run on the endpoint…). For generating PoW, he should run the entire blockchain on the endpoint?
Hi Suresh. Thank you for your comment. As you had alluded to, blockchain, is a global ledger for transactions so, it isn’t really something that can exists on an endpoint. And so, if the question posed here is more about whether it makes sense to carry out malicious crypto mining using a single endpoint, chances are the endpoint will be on its knees (before you know it). Taking a single standalone system simply is not an effective way to make (crypto mining) money, considering the impact on electricity usage and so on. As I had mentioned, crypto miners realize that making their illicit activity worthwhile is through pool-based mining. For more in-depth information about this topic, please check this blog from Cisco Talos <https://blog.talosintelligence.com/2018/01/malicious-xmr-mining.html>. But if your question is about whether illicit crypto mining can really take out a device, there were reports wherein malware had been found pushing infected devices to the limit for mining Monero tokens until they blow up.
Hi Gedeon,
Thank you very for the response. Truly appreciate; it is helpful.
You're welcome, Suresh. Thanks again for sharing your thoughts.
Blockchain is a distributed ledger. Mining node should have the ledger as far as I know in most frameworks