Cryptocurrency mining malware is stealthy and reduces network and endpoint performance. But some simple tasks and basic tools can minimize their impact.
Monitor network performance
First of all, it is important to monitor the performance of the systems in your network. End users may notice excessive CPU usage, temperature changes, or increased fan speeds and report them to IT. These signs can reveal poorly coded professional applications, but they can also indicate the presence of hidden malware on systems. A good baseline on the performance of its systems makes it easier to spot anomalies. But performance anomalies alone should not be relied upon to identify affected systems. Recent incidents have shown attackers throttling CPU demand on systems to mask their impact. For example, a recent Microsoft report on digital defense called Microsoft Digital Defense Report noted that a Vietnamese threat group called Bismuth had targeted private sector and government institutions in France and Vietnam. “Because cryptocurrency miners are considered lower priority threats by security systems, Bismuth was able to take advantage of its malware’s lower alert profile to slip into systems unnoticed.” As Microsoft states in a blog post, “Bismuth evaded detection by blending in with normal network activity.”
Check logs for unauthorized connections
To detect such stealthy malicious actors, machine behavior monitoring is required. For example, examining the firewall and proxy logs can help detect the connections they make. Preferably, it should be known exactly where and to what Internet addresses company resources are allowed to connect. If this process is too cumbersome, reviewing firewall logs and blocking known locations of cryptominers are a minimum. A recent Nextron blog post indicates typical cryptomining pools they have observed activity from. A review of the firewall or DNS servers can tell if their network is affected by this activity. When examining the logs, one should look for patterns including *xmr.* *pool.com *pool.org and pool.* to see if someone or something is misusing the network. If the network is very sensitive, you should limit connections to only the necessary locations and IP addresses. In the cloud age, this limitation can be difficult to determine. It can even be difficult to track the IP addresses used by Microsoft, and the list of allowed IP addresses may need to be adjusted when Microsoft adds new ranges for its Azure data centers.
Use browser extensions to block cryptocurrencies
Consider Edge’s Super-Duper Secure Mode
Consider cryptocurrency mining from the perspective of both external and internal threats. The corporate network, or, for a managed service provider, its customers’ networks, can be very tempting for internal users to mine cryptocurrency. It’s an opportunity some won’t want to pass up. In any case, a review of all options will allow the business to proactively protect against potential attacks.