Mining cryptocurrency is a computationally intensive task, requiring extensive amounts of compute ability as well as electricity to power those computers and internet connectivity. Malicious actors in search of relatively quick profits have turned to cryptomining malware attacks and drive-by cryptojacking scripts embedded in web pages, powered by the Coinhive platform, which is shutting down on March 8th.
One emerging trend is “shadow mining,” the use of IT resources inside one’s organization to covertly mine for cryptocurrencies, according to an Exabeam research report published Friday. Shadow mining is a growing problem in organizations, as the report points to a variety of incidents where this already occurred, including a National Science Foundation researcher using government supercomputers to mine for Bitcoin in 2014, a Chinese school headmaster fired for mining Ethereum in 2018, and a Federal Reserve analyst using government servers to mine Bitcoin for two years.
SEE: Shadow IT policy (Tech Pro Research)
Traditional desktop antivirus solutions flag cryptocurrency miners as potentially unwanted programs, as several malware families include built-in miners.
“To be successful and remain undetected, an insider threat such as shadow mining depends on deliberately configuring security systems to function incorrectly,” the report states. “This scenario not only makes an organization less secure, but by introducing software that consumes additional resources and increasing its attack surfaces, shadow mining can be said to make affected computers less reliable.”
The difficulty of detecting shadow mining corresponds to the sophistication of the attacker. This poses a problem in the enterprise, as a sufficiently motivated, well-positioned, and capable employee can significantly cover their tracks when shadow mining. For network-based detection, the report indicates that it is straightforward to detect activity by using mining pool blacklists, though if a mining application transmits over TLS, “a decapsulating web proxy can generate self-signed certificates for mining pool sites on-the-fly, with the miner simply accepting such certificates. With TLS traffic decapsulated by a proxy serving as a man-in-the-middle, the network activity of the miners can be observed without encryption,” as an analysis shows that several mining applications do not verify certificates. Comparatively, host-based detection is more difficult, as it relies software running on the host to be trustable and configured properly, though attackers can limit the extent to which logs or other auditable data are generated.
With the barrier to entry to cryptocurrency mining lowered to the point that people other than IT professionals can get started, the potential for shadow mining to be a problem clearly exists. The report concludes that “a sufficiently knowledgeable person could be much more effective in hiding their mining efforts. Several of the miners we used are open source software and could easily be customized to be installed as an ostensibly innocuous sounding service,” adding that “Given the popularity of cryptocurrencies (despite their value being highly volatile over the past year), it’s entirely plausible that it’s already occurring in one enterprise or another.”
For more on cryptomining detection, check out TechRepublic’s look at a new detection method to identify cryptomining and other fileless malware attacks.