How to Prevent and Detect Cryptojacking, Part 2

This is the second article in a two-part series focused on how to prevent and detect cryptojacking. The first article in this series, “4 Signs You Are Cryptojacked, Part 1”, addressed why cryptojacking is harmful, the types of systems at risk, and provided four early indicators to detect cryptojacking.

This article focuses on how to prevent and detect cryptojacking. Nefarious cyber actors continue using this attack method and adjusting attack methods. For example, we have seen a shift in attack methods from browser-based to malware-based attacks.

Cryptojacking Impacts Operations

In February this year, Japanese manufacturer Hoya temporarily shut down production at a factory due to cryptojacking. Roughly 100 computers were infected with malware. The company detected the attack before the cryptojacking software took hold. However, the initial malware infection caused factory output to drop by 60 percent. Hoya had yet to completely recover from the attack by the end of March.

8 Actionable Recommendations to Prevent Cryptojacking

The following 8 recommendations can help your organization prevent a cryptojacking incident:

1. Keep your systems patched and up-to-date. Make sure users are allowing updates to occur on their systems. Remember to patch, patch, patch!
2. Train your workforce on cryptojacking. Ensure cryptojacking is part of your company’s security training. Include phishing techniques that threat actors use to load scripts on users’ devices.
3. Use a Next Generation Antivirus (NG AV). An NG AV and Internet security software suite can prevent software execution from the user heap. Alternatively, it can prevent execution in the user context unless whitelisted to do so. Examples include: Carbon Black, Cylance, and CrowdStrike.
4. Block identified cryptojacking websites with website filters. This is generally done at the firewall or your web security appliance.
5. Install ad-blockers and anti-cryptomining extensions on web browsers. Continue monitoring for phishing emails, unknown attachments, and suspicious links. Examples include: Ghostery, minerBlock for Chrome, and more. Further, Mozilla plans to offer FireFox browser anti-tracking tools to protect against cryptomining.
6. Establish a multi-layered security strategy. Include preventive measures and enabling visibility across the entire network and data recovery.
7. Review code to identify vulnerabilities. Integrate code review tools into your development environment. Examples include: Veracode, RIIPS, PVS-Studio, Kiuwan, Gamma, DeepScan, and Redshift.
8. Use a mobile device management (MDM) solution. Particularly if your organization has a bring-your-own-device (BYOD) policy. There are several tools available for smaller organizations (e.g., NG AV, Office 365) that will enforce some mobile device security. In addition, offer your workforce corporate cell phones. With this approach, you remove personal phones from the production network (putting them in a DMZ) and treat them as high threat devices.

6 Ways to Detect Whether Your Organization Has Been Cryptojacked

Cryptojacking can be difficult to detect. Cryptomining infected roughly ten times more organizations during 2018 than ransomware. In those instances, only one in five security professionals knew that their company’s systems had been impacted by the malware attack.

The following 6 ways can help determine whether you have been cryptojacked:

1. Train your workforce and IT team to look for signs of cryptomining. Slow computer performance, CPU or cooling fan failures, and heat radiating from devices could be early indicators of a compromise. This is especially true of thin mobile devices like laptops, tablets, and smartphones.
2. Monitor for abnormal CPU and GPU usage. Cryptomining is resource intensive. It typically causes hijacked machines to standout. Checking for high rate of resource usage during off-business hours should standout even further. Do this by using your workstation monitoring tools to baseline CPU and memory usage for each machine. Then, set alerts to trigger when they rise above the previously identified baseline. In addition, search for off-hours processing.
3. Monitor and approve applications for installation on servers and computers. Whitelist approved applications. Confirm that your security team approves of new applications prior to loading them. Prevent your browser from adding extensions and plugins without pre-approval. Several applications can help you set this up. For example, Windows includes built-in integrity tools (e.g., AppLocker). It also includes enterprise application stores and policy to enforce what applications are loaded. Alternatively, use security companies that have whitelisting or application integrity solutions (e.g., Carbon Black). Further, whitelisting your development code ensures only approved code runs in your environment.
4. Conduct penetration testing and incorporate regular vulnerability scanning. Most of us are in pretty good shape if everything is patched. So, patch, patch, patch! Hire several good pen testing companies and run regular vulnerability scanning tools. Read more here for ideas on which penetration testing tools to use.
5. Review web servers and websites for file changes or cryptomining codes and establish integrity controls. Lock your website files to prevent unapproved changes. Actively monitor your company website for any unapproved page changes or cryptomining code.
6. Deploy a network monitoring solution. Understand that cryptominers can write malware to evade detection. Consider buying advanced tools that scan physical behaviors of your computers to determine if they have been cryptojacked. Examples include: PFP Cybersecurity and Sepio Systems.

Cryptomining Threat Calls for Incorporating Old and New Security Approaches

In conclusion, these are not the only methods to prevent and detect cryptomining on your systems. However, they help identify suspected incidents for further investigation. Remember, both prevention and detection include basic cybersecurity approaches such as patching and workforce training.

Cryptomining has surpassed ransomware as a threat for now. Your security team must pivot to prevent and detect this latest malware trend. A cybersecurity assessment that reviews controls for ensuring the integrity of your company’s systems, software, and code can help improve your ability to respond to a cryptojacking incident.

See the first article in this series for early warning indicators that you may have been cryptojacked.

Contact GPSG at cyberteam@gpsg.co for a free consultation to enhance your ability to prevent, detect, and mitigate a cybersecurity incident.

Disclaimer: This blog provides ever changing content, conversations, and insights on cyber threats and trending solutions that is accurate to the best of our knowledge. Although we are cybersecurity experts, we provide information which we hope is helpful, and do not endorse any specific products, tools, or solutions referenced herein. Consult with your cybersecurity team before taking any action.