Most malware is all about money, and last year’s rise in the value of cryptocurrencies created an incredible opportunity for malware authors. Rather than build botnet armies that they hoped to rent to spammers or distributed denial of service networks, they could build them to directly generate real money and cut out the middleman.
So, that’s what happened. Starting around the first of the year, global spam volumes dropped by nearly 50 percent as botnets around the world were repurposed as cryptominers.
Higher education IT resources have taken the brunt of this attack. A recent report from Vectra links 85 percent of cryptomining efforts to computers on college campuses. Here are five tips to handle this newest menace.
MORE FROM EDTECH: Cryptocurrencies find their way into higher education, bringing risks and rewards.
In-Browser Mining Poses a Challenge to Traditional Anti-Malware Tools
Everything you already know still applies — mostly. Cryptomining is just another kind of malware, so the tools you normally deploy to block and clean up malware infections are still helpful.
The difference is that in-browser cryptomining presents new challenges. Not every anti-malware tool can detect and block in-browser attacks. IT managers should review their anti-malware tool lists and work with software authors to be sure their preferred products offer the coverage they need for both traditional malware and in-browser mining tools.
Another gut punch: In-browser mining is cross-platform, which means that Mac OS X and Linux users are just as much at risk. In higher education, the combination of a high non-Windows population and a cultural bias against installing anti-malware tools on those platforms adds up to a big security hole.
IT managers may need to revisit their non-Windows anti-malware strategy to ensure Mac and Linux users are properly protected. If protection is mandatory, then auditing is in order; if protection is optional for student computers, this might be the time to launch a user education campaign about the dangers of malware.
Network Protections May Treat the Symptoms, but Not the Problem
Network-based protections treat symptoms, but don’t solve the problem. Cryptominers need to communicate with each other and with a Command and Control (C&C) center to mine effectively. Network-level protections disrupt that chain and block the conversion of electricity to cash.
The traditional strategy is to use network-based intrusion prevention systems to identify outbound connects to cryptomining domains, and then block or alert on that traffic. That approach still works — if the network IPS has added the approximately 2,000-plus browser-based cryptomining C&C domains and associated applications to its signature database. IT managers should review their network-based IPS protections to verify that in-browser mining C&C is being properly detected.
But remember that simply blocking access to the C&C domains doesn’t actually solve the malware problem. Systems are still infected, and users are still engaging in risky behaviors. An IPS block on C&C should be accompanied by an action, such as a notification or in-person visit (for smaller colleges) to help the user clean up an infected system.
In the case of intentional mining, notifications can help students understand the negative consequences of their actions to the institution, along with potential penalties for continued noncompliance.
It’s likely that many students don’t consider cryptomining a security problem, because they don’t understand how their PC can be instantly repurposed for more malicious tasks. Information security teams should regularly review IPS logs and combine the review with end-user notification about when and why a block occurred. That’s the best way to change user behaviors: Help them understand what’s wrong with their PCs and give them the information they need to solve the problem.
Augment Cryptomining Defenses with Domain Name Service
Domain Name Service-based protections may be a good addition. DNS-based filtering services, such as OpenDNS and Quad9, advertise their ability to block connections to malicious domains.
To use them, IT managers configure the public resolvers into their Dynamic Host Configuration Protocol servers, possibly backed up by firewall rules to redirect noncompliant users who want to override the DHCP default DNS service.
In theory, these types of services would be perfect complements to network-based IPS, working in concert to block lookups of known cryptomining domains and malware sources.
In practice, there’s a lack of efficacy data and third-party testing showing coverage in areas such as cryptomining. DNS filtering has also been criticized by organizations such as the Internet Society for creating collateral damage and fragmentation of the internet. In environments such as higher education, DNS filtering can be a difficult tool to wield.
IT managers who have already chosen to implement DNS-based filtering should enable cryptomining categories for their campus. Where DNS filtering services are not already in place, local modifications, including adding known cryptomining domains to a local DNS block list in campus DNS resolvers, will help to reduce the impact of this malware.