Conquer it with correlation: Cryptojacking

Your company’s data is not the only valuable thing it has to offer to hackers looking for a payday. Organizational networks around the world have something much more basic which hackers can go after: sheer computing power. Cryptojacking, the unauthorized use of computing resources to mine cryptocurrency, exploits this power. While this type of attack can target any device, including personal, mobile, and IoT devices, corporate networks are the most attractive owing to their large computing power.

Cryptojacking, the unauthorized use of computing resources to mine cryptocurrency

Cryptojacking is now more popular than ransomware

The interest in cryptocurrency only keeps rising, and everyone’s on the lookout for ways to acquire or mine it. Until 2017, ransomware attacks were the most popular method for attackers to increase their stores of digital currency. However, cryptojacking attacks have quickly become more popular this year, owing to their lower cost, lower risk, and steady, guaranteed returns.

A report from the Cyber Threat Alliance states that cryptojacking attacks have risen 459 percent over the last year. The allure is understandable for financially-motivated attackers: Why sell or hold data at ransom in exchange for cryptocurrency when you can mine it directly instead?

How cryptojacking attacks occur

Cryptojacking attacks most commonly mine for Monero, a cryptocurrency that offers more anonymity than Bitcoin.

There are two main ways cryptojacking occurs:

  1. Cryptojacking malware: Unauthorized cryptomining malware is delivered to your network systems—either through a malicious email attachment or link, vulnerable application or system, remote hack, or any of the usual delivery mechanisms. This malware is highly likely to go unnoticed as it runs in the background without any of the usual external indicators of compromise.
  2. In-browser cryptojacking: Cryptomining code is embedded in websites and ads, and can harness the processing power of visitors’ systems. If your employees inadvertently visit an infected or malicious site, their systems will be engaged in mining activity. Coinhive, a web service launched towards the end of 2017, created one such piece of JavaScript code, meant to be used in a legitimate manner. However, it was used by way more cybercriminals than trustworthy website admins, and ended up being the cause of a massive spike in this form of cryptojacking.

Why you should care about cryptojacking

Being a victim of cryptojacking doesn’t have any direct and obvious impact on your business. No data is compromised, and there are no legal or compliance issues to deal with. However, it has several indirect and hidden costs, which, when put together over a large period of time, can spell disaster for your company:

  • Slower systems: Systems engaged in background mining activity can become extremely slow, causing unwanted delays in regular business communications and activity.
  • Loss of business continuity: As CPU cycles are increasingly devoted to mining operations, cryptojacking can even cause an increase in application and hardware crashes, disrupting business continuity.
  • Higher electricity costs: Complex computations consume more electricity, causing an undesirable increase in your electricity bills.

Simply put, your network infrastructure supports a majority of your business operations, and when it isn’t performing at its maximum capacity, your business will suffer.

Detecting cryptojacking with event correlation

As mentioned before, cryptojacking doesn’t have any obvious indicators of compromise. The easiest way to identify a compromised machine is when it slows down or heats up. Event correlation can help you put together your logs, as well as network performance information, and detect cryptojacking attacks.

Some relevant correlation use cases include the detection of:

  • Unauthorized software installations
  • Known cryptocurrency mining or wallet software
  • Unusual spikes in CPU usage
  • Abnormal fan speeds

Log360, ManageEngine’s comprehensive SIEM solution, comes equipped with a strong correlation module which includes predefined rules to help you detect all of the above and more. The solution can pull performance data from OpManager, our network monitoring solution, and correlate it with your log information to give you relevant incident alerts. You can even customize rules or build new ones suitable for your network environment.

Learn more about how event correlation in Log360 works, or sign up for a free, personalized demo.

** Optrics Inc. is an Authorized ManageEngine partner


The original article can be found here:

https://blogs.manageengine.com/active-directory/log360/2018/12/18/conquer-correlation-part-3-cryptojacking.html

Leave a Reply