Defending Against Illicit Cryptocurrency Mining Activity
What is cryptocurrency?
Cryptocurrency is a digital currency used as a medium of exchange, similar to other currencies. Bitcoin, Litecoin, Monero, Ethereum, and Ripple are just a few types of the cryptocurrencies available. Unlike other currencies, cryptocurrency operates independently of a central bank and uses encryption techniques and blockchain technology to secure and verify transactions.
What is cryptomining?
Cryptocurrency mining, or cryptomining, is the way in which cryptocurrency is earned. Individuals mine cryptocurrency by using cryptomining software to solve complex mathematical problems involved in validating transactions. Each solved equation verifies a transaction and earns a reward paid out in the cryptocurrency.
What is cryptojacking?
Cryptojacking may have the following consequences to victim devices, systems, and networks:
- Degraded system and network performance because bandwidth and central processing unit (CPU) resources are monopolized by cryptomining activity
- Increased power consumption, system crashes, and physical damage from component failure due to the extreme temperatures
- Disruption of regular operations
- Financial loss due to system downtime caused by component failure and the cost of restoring systems and files to full operation as well as the cost of the increased power consumption
Cryptojacking involves maliciously installed programs that are persistent or non-persistent. Non-persistent cryptojacking usually occurs only while a user is visiting a particular webpage or has an internet browser open. Persistent cryptojacking continues to occur even after a user has stopped visiting the source that originally caused their system to perform mining activity.
Malicious actors distribute cryptojacking malware through weaponized mobile applications, botnets, and social media platforms by exploiting flaws in applications and servers and by hijacking Wi-Fi hotspots.
What types of systems and devices are at risk for cryptojacking?
Any internet-connected device with a CPU is susceptible to cryptojacking. The following are commonly targeted devices:
- Computer systems and network devices — including those connected to information technology and industrial control system networks;
- Mobile devices — devices are subject to the same vulnerabilities as computers; and
- Internet of Things devices — internet-enabled devices (e.g., printers, video cameras, and smart TVs).
How do you defend against cryptojacking?
The following cybersecurity best practices can help you protect your internet-connected systems and devices against cryptojacking:
- Use and maintain antivirus software. Antivirus software recognizes and protects a computer against malware, allowing the owner or operator to detect and remove a potentially unwanted program before it can do any damage. (See Protecting Against Malicious Code.)
- Keep software and operating systems up to date. Install software updates so that attackers cannot take advantage of known problems or vulnerabilities. (See Understanding Patches and Software Updates.)
- Use strong passwords. Select passwords that will be difficult for attackers to guess, and use different passwords for different programs and devices. It is best to use long, strong passphrases or passwords that consist of at least 16 characters. (See Choosing and Protecting Passwords.)
- Change default usernames and passwords. Default usernames and passwords are readily available to malicious actors. Change default passwords, as soon as possible, to sufficiently strong and unique passwords.
- Check system privilege policies. Review user accounts and verify that users with administrative rights have a need for those privileges. Restrict general user accounts from performing administrative functions.
- Apply application allow listing. Consider using application allow lists to prevent unknown executables from launching autonomously.
- Be wary of downloading files from websites. Avoid downloading files from untrusted websites. Look for an authentic website certificate when downloading files from a secure site. (See Understanding Website Certificates.)
- Recognize normal CPU activity and monitor for abnormal activity. Network administrators should continuously monitor systems and educate their employees to recognize any above-normal sustained CPU activity on computer workstations, mobile devices, and network servers. Investigate noticeable degradation in processing speed.
- Disable unnecessary services. Review all running services and disable those that are unnecessary for operations. Disabling or blocking some services may create problems by obstructing access to files, data, or devices.
- Uninstall unused software. Review installed software applications and remove those not needed for operations. Many retail computer systems with pre-loaded operating systems come with toolbars, games, and adware installed, all of which can use excessive disk space and memory. These unnecessary applications can provide avenues for attackers to exploit a system.
- Install a firewall. Firewalls may be able to prevent some types of attack vectors by blocking malicious traffic before it can enter a computer system, and by restricting unnecessary outbound communications. Some device operating systems include a firewall. Enable and properly configure the firewall as specified in the device or system owner's manual. (See Understanding Firewalls for Home and Small Office Use.)
- Create and monitor block lists. Monitor industry reports of websites that are hosting, distributing, and being used for, malware command and control. Block the internet protocol addresses of known malicious sites to prevent devices from being able to access them.