If the current threat landscape wasn’t enough to keep you up at night, you can now add Cryptojacking attacks to the list. According to NTT’s 2021 Global Threat Intelligence Report, 41% of all malware detected was coin miners. It should come at no surprise that this percentage was so high and why we’re seeing an upward trend in malware with the current surges in bitcoin value. We’ve put together some tips on how you can protect your network from cryptojacking attacks and what to look out for.
Cryptojacking A Quick Primer
We start with a quick primer on what is cryptojacking. In short it’s the unauthorized use of someone’s computer to mine cryptocurrency. Cryptojacking on your network could be caused by internal employees or compromised machines and is typically infected via phishing, malware or javascript. Regardless of how it happens it can eat up a lot of resources that include:
- CPU on existing machines
- Energy
- VPC cycles
- Employee time
Cryptojacking is becoming increasingly rampant. The reason for this is because it doesn’t require a specialized skill set and bad actors can remain anonymous. Additionally detection capabilities are not yet widely available except with Netography, more on that later. Employees also have extensive knowledge of infrastructure and an intimate familiarity with when staffing levels are low. Also policing cloud usage is not always practiced in most organizations and small fluctuation in bills month to month doesn’t always raise red flags. The last reason why we are seeing this attack vector grow is the lucrative opportunities that can be gained with mining bitcoin.
What To Look For:
As we mentioned above, one way threat actors are able to go unnoticed is the ability to exploit resources without being detected. It’s wise to keep an eye on your power bill and investigate spikes that may correlate with traffic on your network. Additionally monitoring CPU spike and VPC metrics is also key to helping to detect potential signs of abuse. Lastly, as a best practice patch and update when new updates come along.
How Do You Protect Your Network?
Other than the obvious – give us a call 🙂 … a variety of different methods can be utilized. Blocking some DNS to locate seed nodes to join the network. If you are a DNS operator you can monitor for these DNS Queries below. Blocking the seed DNS list with a service like OpenDNS/ Cisco Umbrella or through your own DDI Solutions. NOTE: This does not stop hardcoded see IP Addresses
https://github.com/bitcoin/bitcoin/blob/master/src/chainparams.cpp
vSeeds.emplace_back(“seed.bitcoin.sipa.be”); // Pieter Wuille, only supports x1, x5, x9, and xd
vSeeds.emplace_back(“dnsseed.bluematt.me”); // Matt Corallo, only supports x9
vSeeds.emplace_back(“dnsseed.bitcoin.dashjr.org”); // Luke Dashjr
vSeeds.emplace_back(“seed.bitcoinstats.com”); // Christian Decker, supports x1 – xf
vSeeds.emplace_back(“seed.bitcoin.jonasschnelli.ch”); // Jonas Schnelli, only supports x1, x5, x9, and xd
vSeeds.emplace_back(“seed.btc.petertodd.org”); // Peter Todd, only supports x1, x5, x9, and xd
vSeeds.emplace_back(“seed.bitcoin.sprovoost.nl”); // Sjors Provoost
vSeeds.emplace_back(“dnsseed.emzy.de”); // Stephan Oeste
vSeeds.emplace_back(“seed.bitcoin.wiz.biz”); // Jason Maurice
Additionally deploying an NDR, Firewalls and ACLs and monitoring the following common cryptocurrency destination ports (TCP):
Bitcoin: 8333
Litecoin: 9333
Dash: 9999
Dogecoin: 22556
Bitcoin Testnet: 18333
Ethereum: 30303
How Can Netography Help
Netography detects and remediates threats in real-time. We’ve recently added threat detection models for cryptojacking as a result of our investigation into our client base. Our client’s benefit from our SaaS model by having it automatically added to their deployments and having it run in the background. With Netography, it’s easy to stay ahead of advanced threats and gain complete visibility into your environment and effectively block global threats in real-time with little effort to deploy. If you’d like to explore how Netography can help your organization contact us today.