Nowadays, cryptocurrencies are popular and tempting. But, crypto-currencies are not just appealing for countless gamblers and hackers who misuse remote IT devices for crypto-mining. Even Russian engineers could not resist having a go. They attempted to crypto-mine Bitcoins by using a supercomputer in the Nuclear Centre SCADA ICS/DCS infrastructure. They were caught red-handed shortly after connecting to the internet.
Similar attempts have since been reported as the expenses of crypto-mining are extremely high, not just for the hardware equipment used, but also in energy consumption. According to some estimates, the Bitcoin network consumes as much energy as Denmark, with every single transaction requiring 250 kWh energy. This equates to at least several weeks of household electricity consumption...
In addition, it is expected that attackers will focus even more intensely on crypto-currencies than previously on data ransom. Instead, attackers will stop encrypting data and focus on the misuse of resources from organizations, as it is particularly tempting and hard to detect in real time. Recently, for example, there was a misuse of crypto-mining in companies including the British Insurance Company, Aviva, the world’s biggest SIM card manufacturer, Gemalto, as well as the technology company, Tesla.
Flowmon Networks carried out several security analyses focused on crypto-currency mining and the results showed that a certain percentage of user devices were being misused for crypto-mining through external web services. In addition, organisational server infrastructure was also partly affected in critical services, apps stability and availability.
This has two consequences:
- Increasing operational costs to support of critical services (CIOs)
- Demand for security solutions that can identify and notify in real time the occurrence of crypto-mining. Additionally, there will be a need to identify in real time the misuse of internal infrastructure to notify the occurance of a security incident (CSO)
CRYPTO-JACKING
This is where end device capacity is being misused (such as laptops, PCs, tablets and mobile phones) for crypto-mining without the consent of users or an IT Department. It works based on users being exposed to a harmfully coded webpage through standard coded https communication, for example, through a Facebook advertisement. After opening the advertisement, the user will be relocated to another webpage where the user gets a unique identification, which will ensure that the used resources have already been forwarded in the right ‘place’. In the next stage, ‘normal’ https communication connects to a ‘mining server’ (such as hashflare.io, but I will not deliberately attach the whole link, because it probably automatically installs CryptoNight JavaScript in a web browser for the purpose of Bitcoin mining). Everything will be carried out by redirecting the JavaScript on the end user device (for example, in the Google Chrome web browser).
Figure 1. Crypto-jacking: Crypto-mining identification using Flowmon ADS
In this case, for detecting crypto-jacking we use BPATTERNS and BLACKLIST methods in Flowmon Anomaly Detection System, where we identify communication with these mining servers. As a part of the forensic analysis, it will be precisely identified which user accessed which webpages and in which ones the user was relocated at the time of the misused devices.
OWN SERVERS COMPROMISED FOR CRYPTO-MINING
Infrastructure (web/application servers) is often targeted by attackers and if there are no applied rules on firewalls or there are open ports, the server becomes vulnerable. If there are no implemented organisational solutions on real time network communication behavioural analysis and suspicious threat detection, there is often a server misuse, also in the form of a specific unknown ‘mining pool’ installation. In this case, no signature will be triggered. However, there are several options how to identify server misuse from a communication network.
If a server starts immediately communicating with the internet, you are probably dealing with a relevant anomaly. Furthermore, this can be easily identified using the detection method, DIRNET.
Figure 2. Crypto-mining: DIRNET detection method using Flowmon ADS
Compromised servers by a specific software mining pool will communicate with the threat actor on nonstandard ports. Firstly, SSH, or RDP. But, it is also important to pay attention to other ports. In case that this happens in front of the firewall, there are not many options to identify this issue. Thus, detection methods such as Flowmon, Anomaly detection System RDPDICT, SSHDICT, HTTPDICT, DICTATTACK could help. At most, Flowmon can instruct the firewall by specifying a script to block this communication.
Figure 3. Crypto-mining: open server (SSH/RDP) ports for threat actor communication
These methods are useful for security event identification in real time, and in the case of automated traffic record also for forensic analysis purposes.
ADVICE WORTH ITS WEIGHT IN GOLD
If you are currently investing or trading crypto-currencies on crypto stock exchanges, and if you are using SW wallets, and if you are mining coins or tokens and finally, if you are using different cloud and outsourced services, such as NiceHash, always make sure that multi factor authentication is required and check whether you are not accessing some fishy DNS which asks for your personal entry data. If you do not, there might be loss of sources not just by individuals, but also organisations occupied by professional trading on crypto stock exchanges.