Security experts recommend looking for increased activity from illicit mining on corporate networks when cryptocurrency prices go up.
Crypto mining may seem like a small risk when compared with all the ransomware attacks going on. However, Cisco Talos researchers note in a new analysis that “unauthorized software on end systems is never a good sign. Today it’s a crypto miner, tomorrow it could be the initial payload in an eventual ransomware attack.”
Crypto mining has increased from 3% of all mining alerts in January 2020 to 6% in March 2021, according to analysis from Talos. Bad actors often time attacks around activities or events in the news, such as COVID-19 vaccinations. Talos recommends that security teams recognize this dynamic and incorporate it into threat monitoring. This means looking for increased activity on corporate networks when cryptocurrency values start going up. Also, if “new monetization avenues open up, expect the actors to follow.”
The Talos analysis tracked the price of the Monero currency and compared that data point with activity levels of crypto mining. Talos decided to compare the two data points because “illicit crypto mining is one of the few payloads where the monetary gain is directly tied to tangible value.”
The analysts found that the activity graph tracks almost identically with the value of the currency. Talos used network-based detection to monitor crypto mining activity and tracked the rate that certain SNORT rules that target crypto miners fired. The Cisco Talos researchers chose to track Monero’s value because previous research found that many large-scale crypto mining campaigns favored this particular currency.
In an analysis of threat trends in 2020, Cisco found that crypto miners accounted for the most malicious DNS activity. The report also noted that crypto mining was most active early in the year and declined until summer. Activity picked up again as currency values increased. The report also noted that there is little difference between legitimate and illicit crypto mining traffic. In October 2020, Cisco Talos researchers reported on an increase in activity of the Lemon Duck crypto miner.
As Brandon Vigliarolo reported for TechRepublic, Kaspersky analysts also noticed a correlation between increases in the price of a single bitcoin and increased activity from modified crypto mining malware. Kaspersky tracked a fourfold increase in this kind of malware between February and March 2021.
As Lance Whitney explained in an article about crypto mining scams, crypto mining uses a computer’s processing power to solve complicated mathematical problems as a way to verify cryptocurrency transactions. When individuals sign up for crypto mining, they are supposed to be paid with a small amount of cryptocurrency. Bad actors set up fake crypto mining services that don’t pay out this dividend. These scams started out on desktops but have migrated to mobile phones. In 2018, Apple banned cryptocurrency mining from the iPhone, iPad and Mac, but Google still allows the practice. This means mobile-based crypto mining scams are more of a problem for Android users.