How to detect and prevent crypto mining malware
- 04 April, 2018 20:00
Hackers are turning to cryptojacking — infecting enterprise infrastructure with crypto mining software — to have
Enterprises are very much on the lookout for any signs of critical data being stolen or encrypted in a ransomware attack. Cryptojacking is stealthier, and it can be hard for companies to detect. The damage it causes is real but isn't always obvious.
The damage can have an immediate financial impact if the crypto mining software infects cloud infrastructure or drives up the electric bill. It can also hurt productivity and performance by slowing down machines.
"With CPUs that are not specifically made for crypto mining, it could be detrimental to your hardware," says Carles Lopez-Penalver, intelligence analyst at Flashpoint. "They can burn out or run more slowly."
Cryptojacking is in the early stages, he added. If a company spots one type of attack, there are four or five others that will get by. "If there's something that could potentially stop crypto miners, it would be something like a well-trained neural network," Lopez-Penalver says.
That's just what some security vendors are doing — using machine learning and other artificial intelligence (AI) technologies to spot the behaviors that indicate crypto mining, even if that particular attack has never been seen before.
Network crypto mining defense
Many vendors are working at detecting crypto mining activity at the network level. "Detection [at the endpoint] right now is very tricky," says Alex Vaystikh, CTO at SecBI Ltd. "It can be on anything from mobile devices to IoT to laptops and desktops and servers. It can be either intentional or unintentional. It is extremely, extremely broad."
All cryptojacking malware has one common aspect, Vaystikh says. "To mine any cryptocurrency, you must be able to communicate, to receive new hashes and then, after calculating them, return them to the servers and put them in the correct wallet." That means that the best way to detect crypto mining is to monitor the network for suspicious activity.
Unfortunately, crypto mining traffic can be very difficult to distinguish from other types of communications. The actual messages are very short, and malware writers use a variety of techniques to obfuscate them. "It's extremely difficult to write a rule for something like this," Vaystikh says. "So not many companies can detect it. Pretty much every organization above 5,000 employees has the data already — the only problem is that it is very, very hard to go over the huge amounts of data that they have."
SecBI’s Autonomous Investigation technology deals with this issue by using machine learning to look for suspicious patterns in the vast sea of data that come through corporate networks. There are thousands of factors that SecBI looks at, Vaystikh says. For example, crypto mining traffic is periodic, though malware writers will try to disguise the regular nature of the communication by, for example, randomizing the intervals.
Crypto mining also has an unusual message length. Incoming traffic, the hash, is short. The outgoing results are slightly longer. By comparison, with normal internet traffic, the initial request is short and the response is long. "In Bitcoin mining, I actually upload a little bit more than I download," Vaystikh says. "That is something that we look for." The technology can be applied to public cloud infrastructure like Amazon as well as to on-premises networks, he says.
Even if the traffic is encrypted — and 60 percent of all network traffic now is — the periodicity of the communications, the lengths of the messages, and other subtle indicators combine to help the system spot the infections. In fact, when crypto mining first showed up, SecBI's platform flagged it as possibly malicious before it even knew what it was. "Now, after our users looked at it, they say, 'Ah, it's crypto mining!' and the software now correctly classifies it as well," Vaystikh says.
Over the last few months, SecBI's system has learned to detect cryptojacking, classify it correctly, and it can even take immediate corrective action. "For example, you can automatically issue a new rule to the firewall to isolate that traffic and block it," says Vaystikh.
Not everyone will choose to automate that response, he adds. For example, a legitimate website might have been hijacked. "Our technology has the ability to recommend the best solution — reimaging the machine or blocking the destination — and the customer can choose what is the best course of action in that particular case."
Another security vendor that's analyzing network traffic to spot potential crypto mining activity is Darktrace with its Enterprise Immune System technology. "We have anomaly detection at the network level and can capture subtle deviations on any of your computers," says Justin Fier, the company's director of cyber intelligence and analysis. "If your computer is used to doing XYZ and all of a sudden it starts doing something we've never seen before, it's easy to spot. When it starts happening on thousands of computers, it's even easier to spot."
It's not just the computers that are vulnerable. "Anything with computing cycles can be used for this," Fier says. "We're surrounded by so many things with an IP address that are connected to the internet, that can be connected to make one supercomputer to mine cryptocurrency. One thermostat is not really going to produce anything, but when you put it together into a big mining pool, a hundred thousand of them, that's enough to make a difference.”
"One or two computers might not be a big deal, but if you have thousands of computers, you start to affect the corporation’s overall resources and bandwidth," says Fier. "Certain corporations might not even be legally allowed to mine cryptocurrencies for various regulatory reasons."
"I have not seen any AV product with endpoint detection of cryptojacking — browser-based crypto mining — based on behavior alone," Mursch says. A more targeted approach is installing browser extensions. He recommends minerBlock.
Another extension that works well is NoCoin, which does a decent job at blocking Coinhive and its clones, says Marc Laliberte, information security threat analyst at WatchGuard Technologies. "But there have been several cases of legitimate extensions being infected with crytocurrency mining malware," he warned.
Like SecBI and Darktrace, WatchGuard offers a network-based defense strategy for cryptojacking. "The WatchGuard firewall can proxy connections and inspect traffic, and looks for malicious behavior like cryptocurrency miners," says Laliberte. "During the past month, we had two cryptocurrency miners in our top ten attack list for the U.S."
The company looks for red flags such as connections to known crypto mining pools, and it uses sandboxing technology. "We like to look at multiple behaviors before labeling something as bad or good," Laliberte says.
The indicators are getting more and more subtle, he adds. "We're really starting to see attackers rewind the clock to where malware wasn't as overt as it was with, say, ransomware," Laliberte says. "An ongoing revenue source is more valuable than a one-and-done attack like ransomware." As a result, the attackers aren't letting their malware go full-bore, he says. "That becomes suspicious. You can't just be looking at resource utilization, but at network traffic and other potential indicators of compromise."
Smart endpoint crypto mining defense
Another approach to cryptojacking detection is to protect the endpoint. According to Tim Erlin, VP of product management and strategy at Tripwire, attackers can evade network-based defenses by using encryption and less visible communication channels. "The most effective way to detect cryptocurrency mining is on the endpoint directly," he says. "That’s why it’s vital to be able to effectively monitor systems for changes and determine if they’re authorized or not."
In particular, the endpoint protection technology has to be smart enough to catch previously unknown threats, not just block known bad activity, says Bryan York, director of services at CrowdStrike, an endpoint protection vendor. That isn't just limited to executable malware, he adds. "Attackers are now using scripting language, taking advantage of software that's legitimately used on your computers and systems, and using it in an illegitimate fashion."
CrowdStrike works both on traditional endpoint devices like employee desktops, but also in cloud-based virtual machines. "We have had some cases where crypto mining software has been installed in cloud environments, like AWS EC2 instances," he says. "We take a similar approach to preventing those. There is also a unique aspect, and that is understanding how it got there. To understand that, you need to use the API log data that's available from AWS. That makes those investigations a little bit more challenging, but a little bit more interesting."
The insider crypto mining threat
When the crypto mining software is deliberately installed by a legitimate user, detecting it is even more challenging, says York. "I just had a case a couple of weeks ago, an investigation with a rogue insider, a disgruntled employee," says York. "He decided that deploying crypto minng software throughout the environment was going to be part of his way out of the door and a way to display his contempt for the company."
What made it particularly difficult was that the insider was aware of how his company was detecting the crypto mining and preventing its spread. "He started Googling us and reading some of the articles that had been published," says York. "We found them in his web browser history. He was actively trying to subvert us."
Corporate policies might not specifically prohibit employees running crypto mining operations using corporate resources but setting up such an operation will probably be risky for an employee. "The bill will show up and you'll get fired," says Steve McGregory, senior director for application and threat intelligence research center at Ixia. "So that would probably be a short-lived scheme, but if you had the ability to control the logs, a rogue employee could make a decent dime on the side for some time."
Educational institutions are particularly vulnerable, he added. "A lot of the people coming to us asking for help are universities," McGregory says. "Students are just plugging their ASIC [crypto mining] system into the dorm room and cranking the electric bill. The university is paying the bill, so it does cost them. The students did not illegally get into the system."
Employees can also plug in their own equipment, he added, and it can be hard to trace the actual cause of a spike in an electric bill. "They'd probably find it by walking around and seeing what the warmest area was," McGregory suggests.
Trusted insiders can also spin up virtual machines on AWS, Azure or the Google cloud, do their calculations, and then shut them down quickly before anyone notices, says Robert McNutt, VP of emerging technology at ForeScout. "This is the real risk organizations should be thinking about since it is much harder to detect, and for some could be very lucrative, thus making it something that could become more common," he says.
External attackers with stolen credentials could do this as well, he adds. In fact, Amazon now offers EC2 instances with GPUs, which makes crypto mining more efficient, McNutt says. That makes it even more costly for the company paying the bill.