What is it?
Bitcoin mining is the process of adding transaction records to Bitcoin's public ledger of past transactions or blockchain. This ledger of past transactions is called the block chain as it is literally a chain of blocks that serves to confirm transactions to the rest of the network as having taken place. Bitcoin nodes use the block chain to distinguish legitimate Bitcoin transactions from attempts to re-spend coins that have already been spent elsewhere. The primary purpose of mining therefore is to allow Bitcoin nodes to reach a secure, tamper-resistant consensus. Additionally, the miner is awarded the fees paid by users sending transactions. The fee is an incentive for the miner to include the transaction in their block. In the future, as the number of new bitcoins miners are allowed to create in each block dwindles, the fees will make up a much higher percentage of mining income.
Cryptojacking is the unauthorised use of someone else’s computer to mine cryptocurrency – i.e. hacking bitcoins and other digital currencies.
Why is it a threat?
Rogue miners steal other people’s computer power. The possibility of compensation is what attracts miners, but it’s the need for computer capacity to solve the hash that leads miners to ‘leverage’ enterprise resources. They do this using Trojan malware that runs on the affected host machine and does bitcoin mining in the background, often without the user being aware of the ‘parasite within’.
How common is it?
Everything from smartphones, to PCs and servers have been infiltrated by hackers, who exploit their processing power to secretly mine cryptocurrency; some schemes are known to have generated millions. As reported by Symantec, browser-based cryptocurrency mining activity “exploded in the last few months of 2017”. Detections of coinminers on endpoint computers in 2017 surged by 8,500 percent – see graph below – with cryptojacking malware attacks making up 24 percent of all online attacks blocked in December 2017, and 16 percent of online attacks blocked in Q4 of 2017. [Source: ISTR 23: Insights into the Cyber Security Threat Landscape, 21 Mar 2018, Symantec Corporation].
[Source: Symantec Corporation]
Is there a financial impact?
Yes. Running processors at a “high-load” for a long time will increase your electricity costs. The life of a processor or the battery within a laptop may also be shortened. This may not amount to much if it’s just your home PC that’s being affected, but the costs for an enterprise organisation can add up in the course of a year or two if your malware investigation processes have failed to find the culprit.
Can you defend against it?
Yes. Blocking access to a blacklist of existing public blockchain pools is advised, however, new pools and addresses are emerging all the time. If you have deep packet inspection engines, configure the rules and inspect all encrypted sessions. If you can identify which currently running unverified process is taking up a large amount of resources that is very likely to be the malware affecting your system and you should remove its associated files. You could also try to associate the transmitting port(s) to the suspected malware process or processes to assist in identification of the bitcoin miner.
Most antivirus software can find and remove crypto-mining malware, however, if you are concerned that a Trojan horse is present after scanning, our Cyber Threat Hunting team can expertly remove it and advise which measures are the most appropriate to prevent it coming back. In the long run, it pays to have your system regularly inspected in this way to test and assure cyber security processes – after all, you spend a fortune to keep malware out: you need to check that it’s not already there!
What should you do if it happens to you?
We recommend isolating the affected systems immediately and searching for evidence of malware.
You should block crypto mining using the deep packet inspection (DPI) engine in your firewalls. Configure a rule to detect and the block the JSON-RPC messages used by Stratum, the protocol mining pools use to distribute tasks among member computers. DPI rules should be configured to block based on three fields which are required in Stratum subscription requests: id, method, and params. And of course, run AV software, which in most cases can find and remove mining malware. However, if after scanning you still suspect that malware is present, you will need to call in experts.
Who can best deal with it?
7Safe’s cyber experts can advise on the best course of action if bitcoin mining activity is suspected. We can send in Cyber Threat Hunters to find, identify and remove malware and crypto-mining apps.
What 7Safe’s expert says:
“Cryptocurrency mining is fairly low on the enterprise risk register, but it would be unwise to ignore it due to the cost penalty of multiple impaired devices, increasing energy bills, and evidence of malware infection - which could turn out to be more serious when properly investigated!” [7Safe Cyber Expert]