By Liviu Arsene, Senior e-Threat Analyst at Bitdefender
In 2017, Bitcoin reached a record-high value of $19,000 per unit. Prior to this, cryptocurrency had been primarily used by cyber criminal groups trading on the dark web, but its sudden surge in value sparked mainstream interest. In addition, cybercriminals began to explore the mining of less well-known cryptocurrencies such as Monero, in the hope that their value would correspondingly increase.
So cybercriminals instead turned their attention towards organisations with the scale of infrastructure and data centres in place that would allow them to ramp up their efforts, as cryptocurrencies became harder to mine. But they had learned important lessons from trying to mine through proxy consumers, and capped the CPU consumption at 70 or 80 percent, rather than 100. Consequently, they were often able to continue their operation within infrastructures undetected for months at a time. This technique offered the potential to mine millions of dollars worth of cryptocurrency.
However, when it came to exploiting data centres, the process was more complex than for that of regular users. Rather than exploiting vulnerabilities in popular CMS platforms, cybercriminals had to make use of APTs, such as the EternalBlue of WannaCry notoriety. This means that the most sophisticated attack techniques that cybercriminals have in their arsenal are often now being used to drop cryptojackers rather than, say, payloads for data theft. And the fact that cybercriminals are able to do this poses a serious threat.
This is because cryptominers can be bundled with even more malicious software and left behind post-breach, as something of a one-two punch for victims. So if a security team discovers such a mining tool residing anywhere on the network, it indicates a critical vulnerability that may already have been exploited for cyber espionage or data extraction.
Performance is of critical importance to data centres. After all, poor performance can increase operating costs, slow down processes and negatively impact the end-user experience and productivity. Cryptojackers can cause all of these things to happen, and this is due, at least in part, to automated provisioning. Although intended to optimise data centre performance, automated provisioning when exploited by a cryptojacker has the opposite effect, and the mining operation is scaled at the data centre’s expense.
In the case of a highly virtualized infrastructure, VDIs or containerisation tools may be altered to deploy crypto mining software whenever new instances are provisioned. Unless a baseline performance metering has already been established prior to infection, companies will have a hard time identifying a cryptomining operation before they are suddenly hit with a hugely increased bill!
To secure data centres against cryptojacking, the same multi-layered approach is required that would be deployed against APTs, fileless attacks and known or unknown vulnerabilities used to deploy cryptominers in the first place.
Detecting file-based and fileless cryptojackers requires layered next-generation security that can block it during various stages of the attack lifecycle, both within the data center and on endpoints. Even memory protection technologies that identify memory manipulation techniques associated with the exploitation of known or unknown vulnerabilities can help prevent cryptojacking samples from being dropped within virtual workloads.
But one of the most effective methods of detecting and mitigating cryptojacking is to use hypervisor introspection - a technology that prevents memory manipulation techniques associated with known or unknown vulnerabilities - from ever compromising workloads in the first place. In the case of cryptojackers -that have been known to leverage military-grade cyber weapons such as EternalBlue - this ability to catch threats early is crucial to avoiding substantial costs, not to mention the possibility of a data breach if additional malware is deployed alongside it.