Cryptocurrency hijacking, or “cryptojacking” is one of the major threats faced by Enterprise IT teams today, and probably the most underestimated. Cryptojacking involves the covert, illegal use of targeted computing resources to mine cryptocurrencies. Cryptocurrency mining requires massive processing power to solve complex algorithms as part of the blockchain validation mechanism. This process also results in huge electricity consumption and cost as well as significantly shortening the life of expensive computer hardware. To provide a sense of scale, in the first eight months of 2017 alone, anti-virus provider Kaspersky Lab reported that it protected 1.65 million users from cryptojacking attacks.
The good news is that there are effective detection and mitigation mechanisms that can be integrated into an organization’s cybersecurity lineup. Three major defenses against cryptojacking include Performance Management, Application Control, and Behavior Analysis. These rely on granular network visibility, which enables an enterprise to know what is going on in their network, at all times of the day.
While cryptojacking does not normally interrupt or slow down normal business activity, this is because its objective is to remain undiscovered for as long as possible. This is akin to a biological symbiotic host/parasite relationship. There is no point in the parasite killing its host because that is its main food supply. Likewise, if cryptojacking malware is shut down, or alerts the host computer on which it is “feeding”, then that pipeline would quickly be removed.
Performance Management & Application Control
Crypto-jacking is generally performed in the evening, when the majority, if not all of a company’s staff have gone home, but the computer systems and servers are still running. The most recent forms of cryptojacking attacks are focused on databases and application servers as those are the centers of greatest computing power. Performance management and application control can detect anomalous network and server behavior patterns, particularly during off-peak business hours.
The process of application control requires management of several key tasks involving the monitoring and analysis of past network behavior. These processes ensure good network access protocols, including Virtual Private Network (VPN) access, which can detect, measure, and limit cybercriminal activity. Referring to application control, Nathaniel Wallis of Axial Systems, a leading cybersecurity company says, “In this way, organizations will be more likely to see when cyber attackers are trying to download and install cryptominers or transfer cryptocurrencies to digital currency wallets outside the organization.” Application control enables network administrators to block malicious sites and shut down any risky applications running on a network.
Network Visibility and Segmentation
The most effective way to combat cryptojacking is to deploy processes and tools that enable full network visibility. This includes full-packet capture, which is used to monitor anomalies, and full performance management that can be used to record off-peak balances. Segmentation is another procedure that can be employed to protect against cryptojacking. This process monitors and records where and when specific systems operate on the network. Behavior analysis software can then be deployed to identify any anomalous network activity. Performance management systems can also monitor “entity” behavior, where all working systems can be checked to ensure they are operating as intended and according to network segmentation. “Flat” networks are not segmented, and they provide easy access to any hackers who can gain access to the whole system.
Checklist and Resources
In addition to sophisticated technological tools and processes, a simple checklist can assist in protecting an enterprise’s expensive IT systems. The following checks should form the basis of any IT administrator’s cybersecurity toolkit:
- Install and patch anti-malware software
- Keep operating systems up to date
- Prevent company access to Torrent, free download, sex, and online gaming websites as these are the preferred locations for cyberhackers to host their sites
- Perform regular backups
- Delete any programs not in regular use
- Monitor device temperatures
In addition to the above measures, there are many software tools that can be deployed to capture and terminate any cryptojacking activity. These resources include:
- Whoismining.com: Enter website URLs to determine whether the site is being cryptomined.
- Malwarebytes: Strong anti-malware software that blocks Coinhive.com, one of the main malware culprits at the heart of cryptojacking.
- No Coin and Miner Block: Browser add-ons that prevent cryptojackers from accessing a CPU.
The trouble with cryptojacking traffic is that it is not always easy to spot. Identification is often made difficult due to the shortness of the transmitted messages. However, cryptojacking traffic is normally periodic, so that a solid performance management system will be able to identify any patterns that are produced. This process should be possible even if the data is encrypted as the actual task involves identifying the length of the data packets, isolating any periodicity, and pinpointing the range of subtle indicators that cryptojacking employs. Network monitoring is certainly the best way to protect against cryptojacking. Cryptojackers must be able to communicate with their targeted servers, receive new hashes, calculate them, and return them to their own servers. A performance management system will be able to identify these activities and stop them at the core.
Enterprise organizations worldwide rely on Allot Secure Service Gateway (SSG) to provide a single, scalable solution that maximizes the visibility, security and control of your network. Click here to read an Allot Threat Bulletin on Cryptojacking.