Five Ways to Catch Crypto-Miners on Your Network
Five Ways to Catch Crypto-Miners on Your Network
The explosion in price of crypto currencies created a lot of winners, and more recently, losers after values suddenly crashed.
One way many hedge their bets is through crypto mining, where servers and even end user laptops are put to work processing transactions that are fundamental to the block chain.
If you have end users performing crypto mining at work, they are chewing up resources and creating an attack surface.
The SANs Institute published a white paper, Detecting- Crypto Currency Mining in Corporate Environments, packed with actionable advice.
“In order to perform mining one needs to install a client that calculates the blocks and that has access to the Internet. The tools and applications used for mining are not properly built, making them not trustworthy. The tools and applications may have vulnerabilities that can be exploited, or have backdoors implemented by the creators. Deploying these applications and tools in corporate environment could potentially lead to serious impacts on the confidentiality, integrity, and availability of the corporate environment. What is also worrying is that the user who sets up the mining does this to earn money at the expense of the corporate environment. As such, the user may intentionally bypass corporate security settings,” the SANs whitepaper explained.
I first came upon this issue from a discussion on Reddit where sysadmins shared their experiences and advice.
“We have recently had problems with employees at companies we manage loading crypto miners on their work computers. We have blocked the .exe for the programs we know like LiteCoin Miner and a few others, but do any of you have a better solution for sniffing these out?” one admin asked. There was no shortage of tips.
1. Port Blocking
One key protection is to block ports that the mining application use. “Block all ports except the needed ones from the firewall, don't give the users local admin,” one admin suggested.
2. App Blocking
You can also block apps, as the first user advised. “There are application white list and blacklist software so you can segment what can be installed and what you can run as admin,” another user advised.
Another user dug a little deeper. “You can take look at Software Restriction Policies, and basically block any application from running that is not installed/managed by the admins.
Otherwise you can just monitor the resources of the computer to get a hint of unusual high CPU/GPU load,” one IT pro advised.
Microsoft AppLocker got a lot of praise in this department. “AppLocker helps reduce administrative overhead and helps reduce the organization's cost of managing computing resources by decreasing the number of Help Desk calls that result from users running unapproved applications,” Microsoft explained.
One user sang the solution’s praises. “AppLocker is a wonderful thing. Not only is a great line of defense for malware and viruses, but it also helps with things like miners and other software you just generally don't running on your machines,” an AppLocker fan said. “Spend a couple hours learning AppLocker. A few more developing some test GPs and piloting. Depending on the size and type of the org, you could have it rolled out within 2 weeks and be protecting your org from a multitude of attacks.”
Anti-virus is a key component of any security strategy, and is a must for stopping crypto-miners. “I work at an MSP and our AV solution catches Bitcoin miners before they run, or if they are running it will crash it and delete the executables,” one user said. “We also have monitors for CPU utilization so if it spikes for more than an hour after-hours, when the end-user is most likely to mine so they don't pull from their own resources while working, we will get tickets.”
This user also blocks apps. “We have application compliance settings in place that monitors all installed and running applications on every computer and server within our environment, if it isn't on the approved list it gets flagged and ticket generates.
AV is not a perfect defense. “Traditional AV will block a lot of mining software but not all of it. There is a pretty good chance this would be picked up by the AV/monitoring as a security event even if it was not blocked,” one user said. “On all of the servers we monitor CPU use, if it was at 100% for more than an hour the NOC would look into it.”
SANs agrees that AV is an important but far from perfect defense. “It is very important to keep all anti-virus and anti-malware software up to date. Some mining applications will be detected by anti-virus software, but that is not the case for all applications that are being developed for mining,” SANs said.
Limiting privileges is also critical. “Host-based administrative privileges should be limited as much as possible. If a user does not require administrative privileges, he or she should not be given this access. By limiting access, users will not be able to install (unauthorized) software and will not be able to perform mining. However, a user can bypass this limitation by performing Privilege escalation attack,” SANs said.
4. DNS Protection
The SANs Institute suggests an in-depth approach. “Protecting from and detecting crypto currency mining has to be done throughout all layers of the environment,” the group argued. DNS blocking can be key to “stopping crypto miners before they launch. Inspecting IP addresses and DNS requests may provide clues; however, it is important to note that DNS requests are done only at the beginning of a mining session. Based on the examined network mining applications, the communication between the clients and server occurs cyclically, often between 30-100 seconds. The first thing that occurs is a DNS request followed by TCP communication,” SANs said
Blocking domains is something smart IT pros do these days. “We block newly seen domains. This prevents most types of malware because the software either will not install at all, or will not run if it cannot reach their constantly changing domain. Really this is a huge help not just for crypto mining,” one Reddit reader said.
5. Systems and CPU Monitoring
“Probably the most effective and best way to detect mining activities is through active real-time performance and system monitoring.”
Smart IT pros are already looking for heavy CPU loads. “We monitor the CPU usage and temperatures. If there is an abnormal amount of CPU usage or the temperature starts rising higher than normal then it triggers an alert in our monitoring system and a technician will remote into the computer to find out what is going on. Most of the time it is nothing like a crypto miner but rather a problem with an application. It does give us the ability to be a bit proactive and diagnose problems a bit sooner, even start diagnosing before users contact the helpdesk,” one Reddit visitor said.
There is a caveat. Early crypto miners ate up all the CPU, making it basically useless for real work and easy to spot. New tools are more customizable. “While writing this paper, applications that allowed the user to setup how much work the mining application was allowed to perform, were observed and tested,” SANs said.
How Pulseway Helps
Pulseway, the only mobile-first RMM, helps block crypto-miners in several ways:
Pulseway monitors CPU usage, and admins can set rules for notifying if it spikes for a particular amount of time. Since the cryptocurrency would push the CPU usage to a high percentage, you can set a notification and get alerted when the CPU is high for, say, 30 minutes.
Anti-Virus is key. Pulseway’s Kaspersky Anti-Virus detects when you try to open a website that runs a crypto mining script. And it blocks the web site!
Finally, Pulseway can use DNS to block domains and sites associated with mining.
Learn more about end point and DNS protection here.