How to Detect and Prevent Ruthless Cryptojacking

How to Detect and Prevent Ruthless Cryptojacking
Your network devices could be secretly mining cryptocurrency. Last week a report from Help Net Security stated a cryptojacking worm was doing just that in vulnerable Dockers hosts.

Cryptojacking is essentially piggybacking on someone else’s computer processing power to confirm transactions and generate new and potentially lucrative coins. Anyone with access to the internet and suitable hardware can participate in mining cryptocurrency. It’s another thing to detect and prevent the ruthless cryptojacking activity.

The allure of making crypto coins by merely connecting a computer, and entering a few commands reminds me of the gold rush. Back in the mid-1800’s people flocked to the western United States to find their fortune in gold. The formula was simple. Processing more land and dirt increased the chance of success. Miners with a single pan had lesser prospects than those operating massive dirt processing plants. Mining was competitive and sometimes ruthless.

Are you being cryptojacked?
Cryptomining is similar. Instead of plants, crypto miners use computer CPUs, GPUs, and ASICs to find their fortune. Accumulating these assets increases one’s chances to uncover a crypto coin. Crypto mining calculations are complex, require costly electricity and hardware resources. While mining is technically possible for anyone, those with underpowered setups are like single-pan 1850’s gold miners. Cybercriminals overcome resource constraints by using other people’s computers to mine. They do this by hosting Cryptocurrency mining hijackers on websites. Visiting these sites without adequate virus protection can result in your browser and CPU being hijacked.

There are many types of these worms and malware. There is the Graboid worm as referenced in the Help Net Security article. A piece of Malware called PowerGhost was spread across corporate networks to mine cryptocurrency and perform DDoS Attacks illegally. There is also the case where thousands of Windows servers were infected by a Monero miner known as Smominru. Monero spread using the EternalBlue exploit (CVE-2017-0144), which targeted the SMBv1 protocol.

Detecting cryptocurrency mining malware can be challenging.  Indications you could be infected are typically related to CPU usage spikes. Many people may just disregard these symptoms.

Detect and prevent cryptojacking on your network
Looking at crypto mining from a networking perspective, it’s easy to see how PacketViper will help detect and prevent this activity. Fundamentally, crypto mining is a very long-lived TCP connection between a client and a server. In this communication, the ports and protocol can vary, and the TCP communication can be encrypted. Nonetheless, the nature of these communications must persist. Without constant communication with the mining pool, the asset will be unable to complete its task successfully.

PacketViper makes the detection and prevention of this threat behavior routine work. Continuous communication back to the miner sensors can be placed on the full scope of network ports resulting in the detection of anomalous outbound activity. PacketViper Deception360 can quickly identify and act on these breakouts before they have a chance to cost your company production time and energy costs.

To learn more about the detection of worms and malware like this contact us today.
[1] Cryptojacking worm compromised over 2,000 Docker hosts, https://www.helpnetsecurity.com