Q: I have some customers with fairly large networks, and one of them is a business college. It seems like all those latent CPUs would be an attractive target for cryptominers. We’ve been taking steps to protect them, but I’m wondering what we should be watching for and what steps we should be taking to strengthen our clients’ defenses?
To find the answer to this question, SmarterMSP caught up with Melbourne, Australia-based senior forensic investigator Simon Smith, who provided his expert insights into how MSPs can best ward off cryptojacking. Smith is a well-known cyber forensic investigator in Australia, who deals with cybercrime and cryptocurrency fraud. Previously, Smith has solved many cases of online cryptocurrency schemes that have purported to be legitimate investments. Smith finds many cybercriminals who hide behind various fake profiles that attempt to extort, defame, or stalk various business or consumer clients for commercial or criminal purposes. Smith has assisted law enforcement to conduct high-tech crime investigations, as well.
Defining the basics
Let’s first go back to the basics and define what cryptojacking is and isn’t. This is such a new phenomenon, that there is still some confusion.
“Cryptomining is a process in which transactions are mathematically solved to form a verified piece of a blockchain ledger,” Smith says. The technology has many useful applications and is attractive because of its anonymity.
“The technology itself is not illegal, nor is the mining process meant to be a damaging attack on infrastructure. It is a competitive process where several computers attempt to compute a cryptographic hash function to establish a consensus of a transaction and crack the code to ensure that the transaction is correctly placed within the blockchain.” Smith says. A bunch of cryptominers descending on a network sounds ominous, so what is the harm of such an attack?
“This technology can be abused only in the sense that third party, phones, computers, and other devices can have their processing units hijacked without consent to obtain financial gain for a miner. The processing power needed to mine cryptocurrency has become very competitive and otherwise only available to miners who can purchase expensive equipment,” Smith shares, citing Application-Specific Integrated Circuits (ASIC) as a favored tool.
Electric bills and slow speed
There are several signs that miners may have taken up residence in your client’s network. For example, a network that is suddenly very slow, equipment that overheats, and electric bills which have abruptly gone through the roof because of the energy cryptominers slurp up, could mean that your client’s network has been compromised.
“This uses the CPU or GPU of the device, making a peer-to-peer network of hundreds of thousands of nodes working together,” Smith says. “This is impacting the performance and speed of the devices and attempting to collectively report successful hash formulas to the developer, using shared resource pools not belonging to them over a mass number of resources, which itself is a criminal act.” Smith adds that several applications that have appeared in mobile app stores have had malware attached to them, which have been mining cryptocurrency (without consent).
Secure back-ups are crucial
With all of that in mind, we come to our central question: What can MSPs do to help protect their customers against illegal cryptomining? According to Smith:
- Regularly monitor system resources and ensure all running processes are quarantined and not only approved by the CISO, but internally tested for any activity that would appear abnormal or blocking external use of any process that doesn’t need the internet from an organizational perspective.
- Education is also important, and it should be an ongoing process. Periodically, MSPs should refresh staff members about the dangers of attachments and emails from suspicious sources.
- MSPs are urged to update their client’s malware protection for any signature-based malware. However, considering that malware and virus don’t necessarily depend on signatures, it is strongly advised that all individuals and organizations must have a secure backup and restore plan so that they can restore to intervals that are acceptable to their disaster recovery expectations and to not install any executable file they do not trust.
Skip these steps, and your client’s business is in peril.
Cryptomining is not a “victimless crime”
According to Smith, the damage caused by such an attack is essentially a denial of service to the organization. If the speed of all processes of the organization is brought down, serious infrastructure problems could occur.
Reporting and monitoring of cyber systems could be slowed or halted, making systems vulnerable to more attacks. Hardware could become overheated and even damaged, which will affect access to emergency services if forced to run at a high velocity for an extended period as cryptomining malware can do to systems. Ironically, the attack itself could make it more difficult to report.
Smith points out that financial damage can also occur if legitimate customers cannot contact their MSP, these days most telephone systems are run by VIOP services, which also use CPUs to route and distribute calls over the network in packet form. Smith adds that there are certain types of MSP clients that are most vulnerable to cryptomining attacks.
“Large universities that do not have the proper infrastructure in place to maintain their servers, and rogue students who set up such elaborate processes,” Smith explains. The other danger comes from people who download malware from an innocent looking email. “Too many people see the word ‘Free’ and don’t know the dangers that come with that term,” Smith says.
Armed with the right information and protections outlined here, you can keep mining out of your client’s networks.