Spot and block cryptocurrency mining on your network

Due to the low cost of its thermal energy, Iceland is known to be a bitcoin mining hub. However, any personal computer or computer connected to a company’s network can be used to mine cryptoassets. A machine may be found to be running cryptocurrency mining software, in violation of company practices. Cryptomining is used to create cryptocurrency units. Many popular cryptocurrencies are mathematical problem solvers that lead to the creation of units of currency. Simply put, CPU cycles turn into money. This process is legal, but criminal cryptomining illegally hijacks machines to exploit their power and CPU cycles to make money. Cryptojacking, or malicious mining of cryptocurrencies, refers to the hijacking, by a malicious actor, of systems via web servers and web browsers. Malicious JavaScript is usually injected or implanted into web servers so that when users visit a web page, their browser is infected, turning their computers into cryptominers. Fortunately, it is possible to detect this activity and guard against it, either passively or actively.

Monitor network performance

First of all, it is important to monitor the performance of the systems in your network. End users may notice excessive CPU usage, temperature changes, or increased fan speeds and report them to IT. These signs can reveal poorly coded professional applications, but they can also indicate the presence of hidden malware on systems. A good baseline on the performance of its systems makes it easier to spot anomalies. But performance anomalies alone should not be relied upon to identify affected systems. Recent incidents have shown attackers throttling CPU demand on systems to mask their impact. For example, a recent Microsoft report on digital defense called Microsoft Digital Defense Report noted that a Vietnamese threat group called Bismuth had targeted private sector and government institutions in France and Vietnam. “Because cryptocurrency miners are considered lower priority threats by security systems, Bismuth was able to take advantage of its malware’s lower alert profile to slip into systems unnoticed.” As Microsoft states in a blog post, “Bismuth evaded detection by blending in with normal network activity.”

Check logs for unauthorized connections

To detect such stealthy malicious actors, machine behavior monitoring is required. For example, examining the firewall and proxy logs can help detect the connections they make. Preferably, it should be known exactly where and to what Internet addresses company resources are allowed to connect. If this process is too cumbersome, reviewing firewall logs and blocking known locations of cryptominers are a minimum. A recent Nextron blog post indicates typical cryptomining pools they have observed activity from. A review of the firewall or DNS servers can tell if their network is affected by this activity. When examining the logs, one should look for patterns including *xmr.* *pool.com *pool.org and pool.* to see if someone or something is misusing the network. If the network is very sensitive, you should limit connections to only the necessary locations and IP addresses. In the cloud age, this limitation can be difficult to determine. It can even be difficult to track the IP addresses used by Microsoft, and the list of allowed IP addresses may need to be adjusted when Microsoft adds new ranges for its Azure data centers.

Use browser extensions to block cryptocurrencies

Some browser extensions can monitor and block cryptocurrencies. This is the case, for example, of the No Coin and MinerBlocker solutions, which monitor suspicious activities and block attacks. Both solutions include extensions for Chrome, Opera and Firefox. It is also possible to block the execution of JavaScript in your browser so as to prevent the distribution of malicious JavaScript applications via advertising banners and other website manipulation techniques. But blocking JavaScript is not always possible, as it can cause a negative impact on some websites for professional use.

Consider Edge’s Super-Duper Secure Mode

Edge is currently testing what Microsoft calls Super-Duper Secure mode. This mode improves Edge browser security by disabling Just-in-Time (JIT) compilation in the V8 JavaScript engine. According to Microsoft, bugs in JavaScript inside modern browsers are one of the most common attack vectors used by attackers. Common Vulnerabilities and Exposures (CVE) data from 2019 shows that approximately 45% of attacks on V8 target JIT. Disabling JIT compilation does have a performance impact, and testing by Microsoft Browser Vulnerability Research has shown some regressions. JavaScript benchmarks like Speedometer 2.0 showed a significant performance drop of up to 58%. However, Microsoft says users don’t notice the drop in performance because this benchmark “only partially captures a larger phenomenon” and users rarely notice a difference in their day-to-day use.

Consider cryptocurrency mining from the perspective of both external and internal threats. The corporate network, or, for a managed service provider, its customers’ networks, can be very tempting for internal users to mine cryptocurrency. It’s an opportunity some won’t want to pass up. In any case, a review of all options will allow the business to proactively protect against potential attacks.