Resource Utilization
Cryptocurrency Mining
Detection overview
The "Cryptocurrency Mining" detection focuses on identifying unauthorized use of an organization's computing resources to mine cryptocurrencies. Cryptocurrency mining involves using computational power to solve complex mathematical problems, which are then rewarded with cryptocurrency. While mining is a legitimate activity, unauthorized mining on corporate infrastructure can lead to significant resource consumption, increased operational costs, and potential security risks.
Triggers
- An internal host is mining units of cryptocurrency of which Bitcoin, Litecoin, Ethereum, and Monero are some of the most common variants
- Cryptocurrency mining is a common way for botnet operators to make money
- Cryptocurrency mining may involve communication via HTTP or via the Stratum mining protocol
Possible Root Causes
- An infected host is mining cryptocurrency for its bot herder
- Some cryptocurrency mining can occur in the user’s browser as a side effect of visiting compromised or low-reputation websites
- The user of the host on which the behavior has been detected has installed cryptocurrency mining software and is making money using your organization’s systems, power, and network resources
Business Impact
- Botnet activity presents several risks to the organization: (1) it creates noise which may hide more serious issues; (2) there is a chance your organization’s IP will end up on black lists; and (3) the compromised host can always be instructed to perform a direct attack on the organization
- If the user of the host intentionally installed cryptocurrency mining software, the risk may be minimal, though such a user may also be prone to installing other “money making” software which may not prove to be as benign
Steps to Verify
- If the user intentionally installed cryptocurrency mining software, decide whether it should be removed
- If the user did not install cryptocurrency mining software, the host is likely infected and part of a botnet that performs “silent mining”
- Use anti-virus software or reimage the host to remove the malware
Cryptocurrency Mining
Possible root causes
Malicious Detection
- An attacker has compromised an internal system and is using it to mine cryptocurrencies.
- Insider threat where an employee intentionally installs mining software on corporate infrastructure for personal gain.
- Use of malware or Trojans specifically designed to deploy mining software covertly.
Benign Detection
- Legitimate use of mining software for research or testing purposes within an approved scope.
- Misconfigured or unauthorized installations of mining software by well-intentioned employees.
- Security assessments or penetration tests involving mining software.
Cryptocurrency Mining
Example scenarios
Scenario 1: An attacker compromises a server in the organization's network and installs cryptocurrency mining software. The detection is triggered by a sudden spike in CPU usage and outbound traffic to known mining pools.
Scenario 2: An employee installs mining software on their workstation for personal gain. The detection is triggered by increased CPU and GPU usage, along with connections to external mining servers.
Cryptocurrency Mining
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Resource Drain
Unauthorized mining consumes computational resources, reducing performance and availability for legitimate business operations.
Increased Costs
Higher energy consumption and potential hardware damage due to overheating can lead to increased operational costs.
Security Risks
Mining software can create vulnerabilities or backdoors that attackers can exploit.
Cryptocurrency Mining
Steps to investigate
Review System Performance Logs
- Check logs for sudden spikes in CPU, GPU, or network usage.
- Identify any systems showing signs of overheating or increased energy consumption.
Examine Installed Software
- Scan for the presence of cryptocurrency mining software or related processes.
- Check for unauthorized installations or unusual software activity.
Analyze Network Traffic
- Monitor outbound network traffic for connections to known mining pools.
- Look for unusual patterns or volumes of data being sent to external addresses.
Conduct a Threat Hunt
- Search for other indicators of compromise or malicious activity associated with the affected systems.
- Verify if the detected activity is part of a scheduled security assessment or penetration test.
FAQs
What is cryptocurrency mining?
Cryptocurrency mining involves using computational power to solve complex mathematical problems, which are then rewarded with cryptocurrency.
What are the common signs of unauthorized mining?
Signs include high CPU or GPU usage, increased energy consumption, overheating of hardware, and unusual outbound network traffic.
Can legitimate activities trigger the detection of mining?
Yes, legitimate use of mining software for research, testing, or security assessments can trigger this detection. It’s important to verify the context of the activity.
How does Vectra AI detect cryptocurrency mining?
Vectra AI uses advanced AI algorithms to analyze system performance and network traffic, identifying patterns indicative of cryptocurrency mining and correlating these with other suspicious behaviors.
What is the business impact of unauthorized cryptocurrency mining?
The primary risks are resource drain, increased operational costs, security vulnerabilities, and compliance violations, which can lead to significant harm to the organization.
How can I detect unauthorized cryptocurrency mining in my environment?
Monitor for sudden spikes in CPU, GPU, or network usage, scan for mining software, and analyze network traffic for connections to known mining pools.
Why is unauthorized mining a significant threat?
Unauthorized mining consumes computational resources, increases operational costs, and can introduce security vulnerabilities and compliance issues.
What steps should I take if I detect unauthorized mining?
Investigate the source of the mining activity, verify if it was authorized, check for other signs of malicious activity, and take steps to remove mining software and secure affected systems.
What tools can help verify the presence of unauthorized mining?
Tools like system performance monitors, threat detection and response systems, and specialized network traffic analysis solutions can help identify and verify unauthorized mining activity.
How can I prevent unauthorized cryptocurrency mining?
Implement strong access controls, monitor system performance and network traffic, set up alerts for unusual activity, and regularly audit installed software and user activity.