The hidden danger of cryptocurrency mining in the enterprise
New research has revealed that cryptocurrency mining software has already infected at least 1.65 million endpoints this year. Should the enterprise be worried?
Kaspersky Lab data shows that cryptocurrency mining infections have spiked in recent years. In 2013 only around 205,000 endpoints were seen to be targeted by Kaspersky, which jumped to 701,000 the following year. In the first eight months of 2017 the number of attacked users has already hit 1.65 million.
So what exactly is a cryptocurrency miner? The answer is a piece of software that performs a perfectly legal task of utilising CPU resources to 'create' cryptocurrency such as Bitcoin for example.
Professor Kevin Curran, senior IEEE member and professor of cyber-security at Ulster University told SC Media that miners have "moved away from attempting to mine Bitcoin due to the computation power needed" and instead "moved to more reasonable cryptocurrencies like Monero and zcash as mining on sufficient general purpose processors can yield good returns when you are not paying for the power consumed."
The problem is that users, including businesses whose servers are seen as a good source of 'free' computing power, can either be fooled into including the mining software during an otherwise legitimate application installation or by exploiting software vulnerabilities.
Kaspersky Lab says that "over the last month alone, we have detected several large botnets designed to profit from concealed crypto mining. We have also observed growing numbers of attempts to install miners on servers owned by organisations."
The very nature of 'concealed' mining applications, programmed to operate when CPU cycles are not being utilised on other things, makes them difficult to detect. They will often also attempt to disable security software, and track for any application or process that monitors system activity at which point the miner suspends itself to avoid being caught in the act.
In the great scheme of insecurity matters, cryptocurrency miners might appear to sit at the low-impact end of the spectrum. After all, it doesn't exist to do much beyond hide itself and mine. So, beyond the fact that such infections reveal gaps in endpoint security measures, what are the potential consequences to the enterprise for those machines being used as part of a mining botnet?
Sergey Nikitin, deputy head of forensics with LabGroup-IB, argues that such miners don't currently pose a serious threat. "For the businesses it is more a reputational risk" he says "if it turns out that a server where client data is processed has been infected with a piece of mining software."
Whereas Professor Steven Furnell, senior IEEE member and Professor of IT Security at Plymouth University, points out that as victims will not necessarily suspect malware is to blame thanks to various other factors that can routinely cause systems to slow down "it may remain undetected for longer, as may the route by which it got in."
It's this use of processing power that catches the attention of others SC Media UK contacted, such as Sam Curry, chief security officer at Cybereason who told us that the presence of mining software is "inherently self-serving on any system" and can effectively cause "denial of service to the user." And Graeme Park, senior cyber-security consultant at Mason Advisory, adds that the "compute power required for mining lends itself to distributed mechanisms or botnets" so "a crypto-infection across the enterprise will have significant computing draw and could slow down business processes."
Meanwhile Ilia Kolochenko, CEO of web security company High-Tech Bridge, agrees that "if mining software can use the full processing power of the infected machines their hardware may fail much faster" but otherwise Kolochenko agrees with Nikitin, that it's not possible to "clearly distinguish any particular risks for businesses whose machines are used for cryptocurrency mining."
Not everyone agrees of course. Take Liviu Arsene, senior e-threat analyst at Bitdefender, who told SC that "there have been instances where hackers gained access to AWS instances and started using them to mine Bitcoin. This abuse caused Amazon to bill the legitimate owners of the compromised accounts with thousands of dollars' worth of computing time."
Not everyone is worried by the processing power and associated costs of mining software. Pascal Geenens, Radware EMEA security evangelist, told SC Media UK that the most concerning aspect is that such "malware can morph into something that does actual harm such as crypto-ransomware or a jump host for lateral movement or collection of intelligence for targeted attacks." And Ziv Mador, VP of security research at Trustwave SpiderLabs, adds even though mining malware is not the highest-risk threat out there "it does indicate that the machine got compromised and was likely already infected with other malware, or that may happen soon."
We will leave the last word with Joe Pindar, director of strategy at Gemalto, who advises that enterprises take a step back and not only look for traffic spikes, but monitor the end point system performance and the number of CPU cycles. "It's not a complete mindset shift" Pindar concluded "but about having more awareness of what is going on around them..."