Avoiding crypto mining
In light of recent news surrounding Starbucks’ wi-fi hijack and the surge in interest regarding cryptocurrencies, particularly Bitcoin. Looking at how your business can put in place best practice to avoid crypto mining, where cryptocurrency is installed as a malware, might just save your company some valuable resource.
What is cryptocurrency
“Cryptocurrency is a form of digital money that is designed to be secure and, in many cases, anonymous.” ¹
There are now nearly 1500* different cryptocurrencies available on the market and trends show no signs of stopping. With widespread global news and the spike in value for Bitcoin – to date (18-JAN-18) 1 bitcoin is worth 12,000 US Dollars; the digital currency is growing in popularity and more people want to farm their own. However, Bitcoin was first announced in 2009 so the chances of mining 1 Bitcoin for hobbyists are slim to none.
Bitcoin still remains the largest and most well-known cryptocurrency, but there are others which you might have heard of, including;
Although their values are inferior to Bitcoin, they are still gaining momentum as the following screenshot highlights.
² Source: https://coinmarketcap.com | The most popular cryptocurrencies as of – 18-JAN-18, 16:00 GMT.
What is crypto mining
Using blockchain technology, miners use computing power to collect and authenticate blocks and if successful they are rewarded with units of cryptocurrency. However, it isn’t as simple as that. To mine these blocks, miners need to solve mathematical problems and also obtain cryptographic hashes, which gets harder as more cryptocurrency is mined.
“For context, the Bitcoin network processes 5.5 quintillion hashes per second. Unless you have equipment that can process a vast number of calculations in a very short space of time, your odds of competing with large mining operations are infinitesimally small.” ³
Miners have unlimited tries to create a matching hash, but whoever can find one the quickest, has the better chance of successfully creating a block – ultimately being reward with cryptocurrency.
Although the chances of mining Bitcoin are slim. As mentioned earlier, there are nearly 1500 other cryptocurrencies in circulation, which are of interest to cybercriminals; such as those who hijacked Starbucks’ wi-fi. In this case, the hijackers injected illegal script onto the public wi-fi and it automatically downloaded to user laptops, using their CPU to mine Monero coins without them even knowing. Read the full story here.
Any type of malware brings negative implications; but particularly with crypto mining, it can easily go unnoticed and therefore, unchanged. So, it is important be observant and aware of best practice to avoid this type of scenario.
Crypto mining installed as malware
Cryptocurrency as malicious software comes with the usual problems – systems instability, data loss, slowed performance and file abnormalities. However, this particular malware also adds excessive CPU usage, which results in slower execution time of existing functions, extra costs of electricity and extra wear and tear on hardware. Preventing this malware entering a network or computer system can be easily avoided with the right anti-virus software and secured network; but a rogue employee or 3rd party contractor might be harder to detect.
How to avoid crypto mining
The first step is to ensure that proper incremental backups are taken, as this will pinpoint the timeslot in which the miner was added and operates. Cristie’s Hot Standby server replication software would be perfect for this, because of the continuous automated snapshots. This would not only highlight when the malicious activity is taking place due to the surge in CPU activity; but it would also provide a successful version to roll back to prior to the malicious injection.
Next be observant. Look for patterns.
An employee attempting to hide their activities will try various levels:
1. Naïve – runs the miner in full without any attempt to mask operations
2. Limited – slightly conscious, limits the amount of CPU power the miner can use, but has it running continuously
3. Renamed – the cybercriminal deliberately names the miner as a process and runs it under a different user so it matches a background hum and doesn’t look suspicious
This is what it would look like:
The background hum in this case is a Java application. Java is a good target for hiding behind as it can be quite inefficient and produces a reasonable degree of background easily up to 10%.
By renaming the mining process it can be indistinguishable from Java:
4. Adaptive – run the process and limit it to a percentage of the operation of another process
Good monitoring software will alert for the first case and most likely for the second too. The third and fourth cases would be difficult to spot without long-term analysis of the trends of the processes.
In order to prevent the third and fourth cases you would need to limit employee’s access to critical machines; but the addition of restrictions can slow processes down. A respectable company should have a sufficient level of trust, that employees capable of hiding activity like the examples above, are unlikely to do so. However, as crypto mining becomes more wide-spread and tools that can hide actions like (3) or (4) are freely available, businesses need to be wary; as these miners can be easily installed by anyone who has access.
The first option is limiting access to systems to prevent this happening; but introducing red-tape is going to slow process down for potentially little benefit. You could also keep an audit log and periodically (or automatically) check for anomalies of some form, but this again,would take time.
Use hardware unsuitable for crypto mining
A second option is to use hardware unsuitable for mining cryptocurrency. Cryptocurrency miners are generally created by hobbyists with access to general purpose machines. The Intel core i7 and Nvidia GPU systems are good for their purposes; as the core i7 provides crypto-primitives on-chip and the Nvidia GPU has CUDA, which performs SIMD calculations very quickly. These machines can be cheap ($1000 or less) and provide power for less than 10 CPU threads.
In order to get a PowerPC machine with equivalent crypto-primitives or SIMD instructions, it would require a Power 8 processor and cost upwards of $8000. However, it would have the ability to run 80 CPU threads easily so would be an attractive target for miners.
That being said, as the software creators do not have access to these machines, applicable mining software does not exist. This makes these machines incredibly powerful for business purposes, but an unlikely target for miners both internally and externally.
The work required to run standard software stacks on PowerPC has already been done – OpenSSL and CryptoPP already support PowerPC. These operate at too high a level to be used by mining software and would require its cryptography rewritten from scratch, which is a significant barrier to entry. Thus, making it a great choice for avoiding crypto mining.
With the practice of crypto mining becoming more wide-spread and with generalised news highlighting the increase in its monetary value, people are going to look at ways that they can get involved. Although at this later stage it is now much more difficult to mine – it could be argued if it is worth the effort; especially when groups of miners are operating on an industrial scale, so hobbyists are not able to compete. But it is still worth businesses to be mindful, as malware is an ever-present issue.
If you follow best practice and put in place the correct steps and visibility to help avoid crypto mining, businesses can keep on top of this activity. Especially if they have a reputable backup to roll back to in case of an infected system – Cristie’s BMR solutions can do just this.
We expect to see more news stories throughout the year regarding cryptocurrencies and crypto mining and who knows, just how much the Bitcoin value will rise.
Think your business might have been affected?
If you have any questions or would like to speak to an expert on how our software can help, please contact us here.
Useful resources and other information