In this week’s threat detection blog, we will be reviewing a financially-motivated threat that is becoming more common as the use of cryptocurrency becomes more mainstream - crypto mining malware (also known as cryptojacking). Let's look deeper into what crypto mining is, how attackers can use your system to perform it, and how Stamus Security Platform (SSP) can help.
At Stamus Networks we talk about threats often, but we realized that we hadn’t spent much time highlighting what threats we were talking about. This series — Threats! What Threats? — seeks to solve that problem.
What does Crypto Mining Malware do and why is it bad?
Crypto mining malware, sometimes referred to as cryptojacking, is a type of malware attack that hijacks an organization’s computing resources to mine cryptocurrencies like Bitcoin or Ethereum. These Cryptocurrencies can be expensive to mine, so attackers have found ways to decrease their cost by stealing CPU power to calculate blockchain hashes.
Cryptocurrency is mined by using a systems CPU (or sometimes GPU) to perform highly complex mathematical equations that produce alphanumeric strings called hashes. These hashes, like those used in encryption services, are essentially the verification of cryptocurrency transactions. These transactions validate the hashes value on the blockchain. In the simplest terms, the first computer to find the solution to the equation receives a reward of coins that is now part of the blockchain and then the process starts over again.
As the puzzle has grown in complexity and the cost associated with electricity and hardware has increased, small-scale crypto mining can be much more expensive than the profit gained from the mining compensation. Some companies, such as Riot Blockchain, have invested hundreds of millions of dollars building crypto mining data centers that consume as much electricity as 800,000 homes.
Cryptocurrency miners looking to bypass mining expenses have identified illegal alternatives to operating their own network of hardware . By deploying crypto mining malware on hundreds or thousands of systems, miners can create a distributed network of mining machines - essentially a zero-cost computing infrastructure. Once installed onto a system through code embedded into a website or classic email phishing attempts, this malware can hijack a computer’s processing power to run the hash computations in the background.
This can cause a number of problems for an enterprise. First, the crypto mining software can cause a dramatic decrease in system speed, resulting in a loss of productivity.. In addition, crypto mining malware can give attackers an entry point into the network to steal sensitive data, deploy ransomware, or perform other harmful activities.
Thankfully, Stamus Security Platform (SSP) uses insights gathered from your network to detect and identify the presence of crypto mining malware on systems in your organization, so your security team can respond faster, keep your computer resources free, and provide visibility in your network activities.
How does Stamus Security Platform help with crypto mining malware?
Stamus Security Platform (SSP) helps security teams identify crypto mining activity in four primary ways:
Declarations of Compromise™
When SSP detects a serious and imminent threat on the network, the system issues a Declaration of Compromise™ (DoC). These events are the most high-confidence declarations that SSP can deliver. A DoC is a notification of a single, highlighted threat and the asset(s) it is impacting. It includes all the related activity of that threat such as when it was first seen, when it was last seen, and what killchain phase the threat is in. For each DoC event, your security analysts can see valuable context surrounding the impacted asset and its presence on the network.
SSP already includes multiple DoC coverage for common cryptocurrency-based threats like FakeWallet, Monero, and LemonDuck. The Stamus Labs threat research team is continually adding threat coverage. Detections are updated nearly everyday. SSP customers receive updates daily.
See below for details about the coverage available at the time of publication.
Guided Threat Hunting
Stamus Security Platform (SSP) also includes an enriched hunting interface. This includes over 100 guided threat hunting filters that enable a user to filter through alert events to find specific types of threats or activities using network insights. Users may filter further by network segments specific to the organization (ex: 3rd floor - accounting department).
Currently, there is one pre-defined filter that specifically searches through alert events for any crypto mining activities. With this filter, users can quickly identify possible crypto mining activities, investigate and classify them, and then ultimately create automations to identify any future or past events matching the filter criteria.
For a more thorough introduction into the Stamus enriched hunting face, read the “Introduction to Guided Threat Hunting” on the Stamus Networks Blog.
The screenshot below highlights the pre-defined filter results for crypto mining activity.
Suspicious Host Activity Detection via Sightings
Security analysts can also use the “Sightings” feature to uncover anomalous behavior and suspicious host activity on the organization’s network. In this case, SSP’s sightings detection algorithms identify the occurrence of never-before-seen artifacts from critical infrastructure.
Sightings can include connections based on discovered Host roles - domain controllers, DHCP servers, proxies, printers, etc. This gives the user a quick view of potentially suspicious activity like new, unfamiliar outbound connections or the use of crypto mining protocols like Stratum. Security analysts can use the “Sightings'' feature to identify crypto mining activity and any offending servers associated with it.
The screenshot below shows the results of the sightings detections.
More information on Stamus Security Platform
Hopefully you have learned more about what crypto mining is, how attackers use malware to exploit systems for crypto mining, and how Stamus Security Platform can help detect those activities using your organization’s network. Cryptocurrency is an exciting new technology, but it does not come without its risks to an organization’s safety.
If you would like to see a live demonstration of how Stamus Security Platform detects crypto mining malware or want to discuss how else it could help you detect and respond to threats in your network, please click on the button below to request a demo.