What are Cryptomining & Cryptojacking | How do you defend against cryptojacking?

Cryptomining

Transactions for various forms of cryptocurrency are verified and added to the blockchain digital ledger

Requires large amount of processing power and energy to be efficient

Cryptojacking

Unauthorized use of someone else’s computer to mine cryptocurrency

Symptoms and rectification of Cryptojacking

How is it done?

• Hackers install malware or a script that does cryptomining into the compromised server/computer
• The  malware or script (usually javascript) automatically starts up in the background and mines cryptocurrency for the hacker
• This is most commonly done when a user visits an infected website or through phishing

Symptoms:

• High CPU and/or GPU usage
• Overheating
• Crashes or restarts
• Slow response times
• Unusual network activity (e.g. connections to mining-related websites or IP addresses). For example, you may notice unexpected PowerShell processes connecting to IP addresses associated with xmrpool[.]net, nanopool[.]org, moneropool[.]com, and similar addresses.

Rectification:

• Investigate any abnormal activity
• Disable Javascript on specific sites
• Install anti-malware software and run periodic scans
• Monitor logs for unusual activity

How do you defend against cryptojacking?

The following cybersecurity best practices can help you protect your internet connected systems and devices against cryptojacking: (source from https://www.us-cert.gov/ncas/tips/ST18-002)

Use and maintain antivirus software.

Antivirus software recognizes and protects a computer against malware, allowing the owner or operator to detect and remove a potentially unwanted program before it can do any damage. (See Understanding Anti-Virus Software.)

Keep software and operating systems up-to-date.

Install software updates so that attackers cannot take advantage of known problems or vulnerabilities. (See Understanding Patches.)

Use strong passwords.

Select passwords that will be difficult for attackers to guess, and use different passwords for different programs and devices. It is best to use long, strong passphrases or passwords that consist of at least 16 characters. (See Choosing and Protecting Passwords.)

Change default usernames and passwords.

Default usernames and passwords are readily available to malicious actors. Change default passwords, as soon as possible, to a sufficiently strong and unique password.

Check system privilege policies.

Review user accounts and verify that users with administrative rights have a need for those privileges. Restrict general user accounts from performing administrative functions.

Apply application whitelisting.

Consider using application whitelists to prevent unknown executables from launching autonomously.

Be wary of downloading files from websites.

Avoid downloading files from untrusted websites. Look for an authentic website certificate when downloading files from a secure site. (See Understanding Web Site Certificates.)

Recognize normal CPU activity and monitor for abnormal activity.

Network administrators should continuously monitor systems and educate their employees to recognize any above-normal sustained CPU activity on computer workstations, mobile devices, and network servers. Any noticeable degradation in processing speed requires investigation.

Disable unnecessary services.

Review all running services and disable those that are unnecessary for operations. Disabling or blocking some services may create problems by obstructing access to files, data, or devices.

Uninstall unused software.

Review installed software applications and remove those not needed for operations. Many retail computer systems with pre-loaded operating systems come with toolbars, games, and adware installed, all of which can use excessive disk space and memory. These unnecessary applications can provide avenues for attackers to exploit a system.

Validate input.

Perform input validation on internet-facing web server and web applications to mitigate injection attacks. On web browsers, disable JavaScript execution. For Microsoft Internet Explorer, enable the cross-site scripting filter.

Install a firewall.

Firewalls may be able to prevent some types of attack vectors by blocking malicious traffic before it can enter a computer system, and by restricting unnecessary outbound communications. Some device operating systems include a firewall. Enable and properly configure the firewall as specified in the device or system owner’s manual. (See Understanding Firewalls.)

Create and monitor blacklists.

Monitor industry reports of websites that are hosting, distributing, and being used for, malware command and control. Block the internet protocol addresses of known malicious sites to prevent devices from being able to access them.