Cisco’s research team Talos, just released a white paper covering the concern of cryptocurrency mining. There has been a major shift from threat actors infecting targets with Ransomware to turning target networks into Crypto mining centers for their own benefit. Many people have asked me about how to defend against this so here is a new white paper on this concept. The original post can be found HERE.
Cisco Talos is releasing a whitepaper addressing Cryptocurrency mining and all the ways to block it using Cisco Security products. The value of cryptocurrencies has fluctuated wildly, but the value is still high enough to garner a lot of attention, both legitimate and malicious. Most of the malicious activity we see is done for financial gain, and cryptocurrencies have provided attackers with a lucrative new avenue to pursue: cryptocurrency mining.
Over the past year, we have seen a seismic shift in the threat landscape with the explosive growth of malicious cryptocurrency mining. This threat is spreading across the internet like wildfire and is being delivered through multiple vectors including email, web, and active exploitation. That doesn’t include the quasi-legitimate in-browser mining that is becoming increasingly common.
Generally speaking, cryptocurrency mining can use up a considerable amount of computing power and energy that would otherwise be incredibly valuable to any organization. Enterprises need to start making tough policy decisions regarding cryptocurrency mining. It is common for end users to try and generate additional revenue by installing miners on their desktop and mining off-hours. This type of activity needs to be addressed by the enterprise. However, it will be detected along with malicious cryptocurrency mining in the environment.
To understand the different ways to block cryptocurrency mining, you need to know how pool-based mining works and how adversaries take advantage of it. Taking a single standalone system is not an effective way to generate significant revenue and, in conjunction with electricity usage, does not make sense for the average user to pursue.
However, if you have a large block of systems and leverage pool-based mining, the profits can add up, and adversaries have noticed. Malicious actors have pivoted and started using open-source cryptocurrency miners. The ability to quickly deploy these miners without requiring true command and control access has made them incredibly attractive. The results have been stunning. We have seen massive campaigns generating hundreds of thousands, if not millions of dollars, for the attackers. The size and scale of this problem are just starting to come into focus and looks to be worsening in the near term. This brings us to the challenge of detection.
Since these miners rely on both end systems and network traffic to operate, it creates many different avenues for detection. Cisco Talos is releasing a whitepaper that provides a high-level overview of what malicious cryptocurrency mining is and the plethora of different ways that Cisco Talos goes about blocking it. This includes technologies like Cisco Intrusion Prevention System (IPS), Advanced Malware Protection (AMP), Umbrella, and Threat Grid, among others.
For the full details of all the methods and technologies Cisco Talos uses to thwart this threat, download the full whitepaper here.