How do illicit cryptominers work?
There are two main types of illicit cryptominers:
1. Binary-based – malicious applications downloaded and installed onto the targeted device with the goal to mine cryptocurrency. ESET security solutions categorize most of these applications as Trojans.
2. Browser-based – malicious JavaScript embedded into a web page or some of its parts/objects, designed to mine cryptocurrency via the browsers of the site’s visitors. This method is dubbed cryptojacking and has become increasingly popular with cybercriminals since mid-2017. ESET detects the majority of cryptojacking scripts as potentially unwanted applications (PUAs).
Warning
Most illicit cryptominers attempt to mine Monero or Ethereum. These cryptocurrencies offer cybercriminals several benefits over the better-known bitcoin: they have a higher level of transaction anonymity and, most importantly, can be mined with regular CPUs and GPUs instead of expensive and specialized hardware. Cryptomining and cryptojacking attacks have been detected on all popular desktop platforms, as well as on Android and iOS.
Why should SMBs care about illicit cryptominers?
A total of 30% of organizations in the United Kingdom fell victim to a cryptojacking attack in the previous month, a recent survey among 750 IT executives across the UK has found. These statistics document two things:
1. Despite illicit cryptomining posing a threat with seemingly lower severity, organizations should not underestimate the risk it represents. Mining usually hijacks a large portion of hardware’s processing power reducing performance and productivity. The power-intensive process causes additional stress to the hardware components and can damage targeted devices, shortening their lifespans.
2. Cryptominers expose vulnerabilities in an organization’s cybersecurity posture, which can lead to potentially more severe compromises and disruptions. Due to their higher and concentrated performance, business infrastructures and networks are a more valuable target than consumer devices, promising the attacker higher earnings within a shorter timeframe.
How to recognize a cryptomining attack?
Cryptomining and cryptojacking are typically associated with extremely high processor activity, which has noticeable side effects. Watch out for the following:
- Visibly reduced performance and productivity of the infrastructure
- Unusual energy consumption
- Suspicious network traffic
On Android devices additional computational load causes:
- Shorter battery life
- Noticeably increased device temperature
- Lower device productivity
- Physical damage from “bloating” of the battery in worst case scenarios
How to keep your organization protected from cryptominers?
1. Protect their endpoints, servers and other devices with reliable and multilayered security solutions able to detect potentially unwanted (PUA) cryptomining scripts as well as cryptomining Trojans.
2. Implement Intrusion Detection Software (IDS) that helps identify suspicious network patterns and communication potentially tied to illicit cryptomining (infected domains, outgoing connections on typical mining ports such as 3333, 4444 or 8333, signs of persistence, etc.).
3. Increase network visibility by using a remote management console to enforce security policies, monitor system status as well as security of company endpoints and servers.
4. Train all employees (including top management and network administrators) in how to maintain good cyber-hygiene and create and use strong passwords, reinforced with two-factor authentication, increasing the protection of company systems in case passwords are leaked or bruteforced.
Additional measures
5. Follow the principle of least privilege. All users should only have user accounts with as few permissions as possible, that allow them to complete their current tasks. This approach significantly lowers the risk of users and admins being manipulated into opening or installing cryptominers or other malicious software in a device connected to the company network.
6. Use application controls that narrow the software allowed to run to a minimum, preventing the installation of cryptomining malware.
7. Implement a good update and patching policy to significantly lower the chance of an organization being compromised via previously-known vulnerabilities as many advanced cryptominers use known exploits, such as EternalBlue, for their primary distribution.
8. Monitor company systems for excessive power usage or other energy consumption anomalies that might point to unsolicited cryptomining activity.
Prevent cryptomining now
ESET PROTECT
Advanced
Get effective protection against cryptomining with ESET multilayered endpoint security solutions able to detect potentially unwanted (PUA) cryptomining scripts as well as cryptomining Trojans. Includes Ransomware Shield and LiveGrid® protection via the cloud and network attack protection. Combine ESET’s powerful scanning engine with ESET PROTECT Cloud and gain detailed network visibility.