Security experts recommend looking for increased activity from illicit mining on corporate networks when cryptocurrency prices rise.
Crypto mining might seem like a small risk compared to all the ransomware attacks out there. However, researchers at Cisco Talos note in a new analysis that “Unauthorized software on end systems is never a good sign. Today it’s a crypto miner, tomorrow it could be the initial payload of ‘a possible ransomware attack “.
Crypto mining has fallen from 3% of all mining alerts in January 2020 to 6% in March 2021, according to Talos analysis. Bad actors often organize attacks around topical activities or events, such as COVID-19 vaccinations. Talos recommends that security teams recognize this dynamic and incorporate it into threat monitoring. This means looking for increased activity on corporate networks when cryptocurrency values start to rise. Also, if “new avenues for monetization open up, expect players to follow.”
Talos analysis tracked the price of the Monero currency and compared this data point with the activity levels of crypto mining. Talos decided to compare the two data points because “illicit cryptocurrency mining is one of the few payloads where monetary gain is directly tied to tangible value.”
Analysts have found that the activity graph tracks the value of the currency almost identically. Talos used network-based detection to monitor crypto mining activity and tracked the trigger rate of certain SNORT rules that target crypto miners. Cisco Talos researchers chose to track the value of Monero because previous research revealed that many large-scale crypto mining campaigns favored this particular currency.
In an analysis of threat trends in 2020, Cisco found that crypto miners were the most malicious DNS activity. The report also noted that crypto mining was most active at the start of the year and declined until the summer. Activity picked up as the value of currencies increased. The report also noted that there is little difference between legitimate and illicit crypto mining traffic. In October 2020, researchers at Cisco Talos reported an increase in the activity of the crypto-miner Lemon Duck.
As Brandon Vigliarolo reported for TechRepublic, Kaspersky analysts have also noticed a correlation between the increase in the price of a single bitcoin and the increase in activity of modified crypto-mining malware. Kaspersky recorded a fourfold increase in this type of malware between February and March 2021.
As Lance Whitney explained in an article on crypto mining scams, crypto mining uses the processing power of a computer to solve complex mathematical problems to verify cryptocurrency transactions. When individuals sign up for crypto mining, they are supposed to be paid with a small amount of cryptocurrency. Bad actors are setting up bogus crypto mining services that don’t pay this dividend. These scams started on desktop computers but have migrated to mobile phones. In 2018, Apple banned cryptocurrency mining on iPhone, iPad, and Mac, but Google still allows the practice. This means that mobile crypto mining scams are no longer a problem for Android users.