We’ re actually at the point now where Bitcoin mining centres have become the majority of the network.
decrypting myths
We’ re actually at the point now where Bitcoin mining centres have become the majority of the network.
surreptitious cryptomining). Or where an employee inadvertently downloads free software that might not disclose that it performs cryptomining on the back-end. There are video streaming sites and file sharing networks that have allegedly been cryptojacking users’ computers( as has a free Wi-Fi provider in an Argentinian Starbucks)
• The rationalising insider: Here, an individual downloads small-scale, cryptomining or cryptojacking software they intend to run when their machine is idle. This miner rationalises that it’ s ok to use their machine to generate money when it’ s not in use
• The malicious outsider: Similar to a DDoS attack, which uses a server or service vulnerability, a hacker can hijack an entire connected infrastructure to develop a distributed cryptomining operation. Since not a lot of traffic is generated, and servers in data centres are expected to have a fairly high load, these hijacks may go unnoticed for a long period of time
Can you share some examples of cryptojacking in action?
After its utility bill skyrocketed over 40 %, a Florida Department of Citrus( FDC) employee was arrested in March for allegedly using its computers to mine cryptocurrencies. The employee also allegedly used department funds to purchase 24 graphic processing units( GPUs) totalling nearly US $ 22,000.
GPUs are often used for cryptomining because they can crunch numbers faster than systems using conventional CPU chips. It happened recently to Tesla too, after a Kubernetes console was left unprotected. The risk here is not of data theft but of IT downtime, hardware burn-out, productivity losses and rising energy bills.
We know that cryptomining can use a tremendous amount of energy. But how much of your organisation’ s power could cryptominers potentially be using and how much would it cost?
The answer is difficult because it depends on many variables. Determining how many machines are being utilised is a start. However, not all machines consume the same amount of power; which depends on the type and number of CPUs and whether they are using GPUs. It also depends on how often and intensively they are being used.
Add in the cooling costs and it’ s a complicated equation. The best thing organisations can do is look for anomalies in their bills and, if seen, start looking for suspicious activity.
What should you look for?
Cryptomining creates a significant deviation in pattern and velocity. Look for a sudden change in capacity or use, as well as for an abnormal executable. For example, consider the sudden night time appearance of an odd executable in an environment that usually only runs EXCHANGE. EXE or NTDS. EXE. This should be flagged as abnormal. Or, consider a machine, ordinarily only operating during daytime hours, that is suddenly running 24 × 7.
A few straightforward ways to detect such irregular behaviours is to learn what sort of processes and connections servers create with outbound access( to connect to mining pools etc) and modelling the normal behaviours.
The same goes for server capacity and utilisation. In a production environment, there are certain benchmarks that IT performs to ensure proper service is maintained – deviation from these benchmarks may be an indicator of capacity abuse. An emerging technology called entity analytics can automate detection by baselining normal machine behaviour and highlighting the anomalies.
With the value of cryptocurrency increasing, and the less power intensive currencies still nascent, malicious actors appropriating machines for profit will most likely be around for a while. u www. intelligentciso. com | Issue 06
79