Uncover gaps in your Microsoft Identity Security.
Book an identity exposure gap analysis today.
Back to all detections
Resource Utilization

Cryptocurrency Mining

Cryptocurrency Mining
Overview
Possible Root Causes
Example Scenarios
Business Impact
Steps to Investigate
MITRE ATT&CK Techniques
Related Detections
FAQ

Detection overview

The "Cryptocurrency Mining" detection focuses on identifying unauthorized use of an organization's computing resources to mine cryptocurrencies. Cryptocurrency mining involves using computational power to solve complex mathematical problems, which are then rewarded with cryptocurrency. While mining is a legitimate activity, unauthorized mining on corporate infrastructure can lead to significant resource consumption, increased operational costs, and potential security risks.

Triggers

  • An internal host is mining units of cryptocurrency of which Bitcoin, Litecoin, Ethereum, and Monero are some of the most common variants
  • Cryptocurrency mining is a common way for botnet operators to make money
  • Cryptocurrency mining may involve communication via HTTP or via the Stratum mining protocol

Possible Root Causes

  • An infected host is mining cryptocurrency for its bot herder
  • Some cryptocurrency mining can occur in the user’s browser as a side effect of visiting compromised or low-reputation websites
  • The user of the host on which the behavior has been detected has installed cryptocurrency mining software and is making money using your organization’s systems, power, and network resources

Business Impact

  • Botnet activity presents several risks to the organization: (1) it creates noise which may hide more serious issues; (2) there is a chance your organization’s IP will end up on black lists; and (3) the compromised host can always be instructed to perform a direct attack on the organization
  • If the user of the host intentionally installed cryptocurrency mining software, the risk may be minimal, though such a user may also be prone to installing other “money making” software which may not prove to be as benign

Steps to Verify

  • If the user intentionally installed cryptocurrency mining software, decide whether it should be removed
  • If the user did not install cryptocurrency mining software, the host is likely infected and part of a botnet that performs “silent mining”
  • Use anti-virus software or reimage the host to remove the malware
Cryptocurrency Mining

Possible root causes

Malicious Detection

  • An attacker has compromised an internal system and is using it to mine cryptocurrencies.
  • Insider threat where an employee intentionally installs mining software on corporate infrastructure for personal gain.
  • Use of malware or Trojans specifically designed to deploy mining software covertly.

Benign Detection

  • Legitimate use of mining software for research or testing purposes within an approved scope.
  • Misconfigured or unauthorized installations of mining software by well-intentioned employees.
  • Security assessments or penetration tests involving mining software.
Cryptocurrency Mining

Example scenarios

Scenario 1: An attacker compromises a server in the organization's network and installs cryptocurrency mining software. The detection is triggered by a sudden spike in CPU usage and outbound traffic to known mining pools.

Scenario 2: An employee installs mining software on their workstation for personal gain. The detection is triggered by increased CPU and GPU usage, along with connections to external mining servers.

Cryptocurrency Mining

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Resource Drain

Unauthorized mining consumes computational resources, reducing performance and availability for legitimate business operations.

Increased Costs

Higher energy consumption and potential hardware damage due to overheating can lead to increased operational costs.

Security Risks

Mining software can create vulnerabilities or backdoors that attackers can exploit.

Cryptocurrency Mining

Steps to investigate

Review System Performance Logs

  • Check logs for sudden spikes in CPU, GPU, or network usage.
  • Identify any systems showing signs of overheating or increased energy consumption.

Examine Installed Software

  • Scan for the presence of cryptocurrency mining software or related processes.
  • Check for unauthorized installations or unusual software activity.

Analyze Network Traffic

  • Monitor outbound network traffic for connections to known mining pools.
  • Look for unusual patterns or volumes of data being sent to external addresses.

Conduct a Threat Hunt

  • Search for other indicators of compromise or malicious activity associated with the affected systems.
  • Verify if the detected activity is part of a scheduled security assessment or penetration test.
Cryptocurrency Mining

MITRE ATT&CK techniques covered

Resource Hijacking

T1496
Cryptocurrency Mining

Related detections

Suspicious Relay

Suspect Domain Activity

TOR Activity

See our detections in action

Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.

Don't just read about the possibilities – experience them.

Launch the free tour
Ask for a custom demo

FAQs

What is cryptocurrency mining?

Cryptocurrency mining involves using computational power to solve complex mathematical problems, which are then rewarded with cryptocurrency.

What are the common signs of unauthorized mining?

Signs include high CPU or GPU usage, increased energy consumption, overheating of hardware, and unusual outbound network traffic.

Can legitimate activities trigger the detection of mining?

Yes, legitimate use of mining software for research, testing, or security assessments can trigger this detection. It’s important to verify the context of the activity.

How does Vectra AI detect cryptocurrency mining?

Vectra AI uses advanced AI algorithms to analyze system performance and network traffic, identifying patterns indicative of cryptocurrency mining and correlating these with other suspicious behaviors.

What is the business impact of unauthorized cryptocurrency mining?

The primary risks are resource drain, increased operational costs, security vulnerabilities, and compliance violations, which can lead to significant harm to the organization.

How can I detect unauthorized cryptocurrency mining in my environment?

Monitor for sudden spikes in CPU, GPU, or network usage, scan for mining software, and analyze network traffic for connections to known mining pools.

Why is unauthorized mining a significant threat?

Unauthorized mining consumes computational resources, increases operational costs, and can introduce security vulnerabilities and compliance issues.

What steps should I take if I detect unauthorized mining?

Investigate the source of the mining activity, verify if it was authorized, check for other signs of malicious activity, and take steps to remove mining software and secure affected systems.

What tools can help verify the presence of unauthorized mining?

Tools like system performance monitors, threat detection and response systems, and specialized network traffic analysis solutions can help identify and verify unauthorized mining activity.

How can I prevent unauthorized cryptocurrency mining?

Implement strong access controls, monitor system performance and network traffic, set up alerts for unusual activity, and regularly audit installed software and user activity.