System slowdown? It may be cryptojacking
The danger to large organizations of having their computing power hijacked by surreptitious hijackers has been highlighted by the experiences of Nova Scotia-based St. Francis Xavier University.
The Canadian institution was forced to shut down its entire campus-wide network after IT staff discovered that hackers had installed Bitcoin mining software on the University’s servers.
In a statement, the University technical team said it had “purposefully disabled all network systems in response to what we learned to be to be an automated attack on our systems known as ‘crytpocoin mining'”.
Because of the shutdown, all networked systems were taken offline, including internet access, website, e-commerce and information systems.
Please be aware that ITS has identified evidence of an attempted cyber-attack and will continue to keep systems offline as they methodically analyze and test each system. There is no estimate yet as to when the system will be restored. @TheUOfficial
— StFX University (@stfxuniversity) November 1, 2018
The consequences of such events for large organizations and businesses from so-called crypto-jacking are clear, therefore. And while in such attacks the aim of the bad actors is not to exfiltrate sensitive data, once installed, the cryptojacking code can have a deleterious effect on networked systems – and one that’s often difficult to detect.
Bitcoin is an unusual cryptocurrency in this type of event: typically a more anonymous currency would be the choice, such as Monero.
Security teams need to take specific measures to identify the effects of a successful installation of cryptojacking routines, such as examining DNS lookup logs (addresses containing ‘pool’ or ‘mine’, as a starting point, for example) and outgoing traffic on multiple non-standard ports (pools often use different ports according to the predicted speed of mining rigs).
Some currencies, such as Monero, mask mining activity over the local network by means of an overlay protocol, plus affected machines will often communicate via proxies – which security teams will already know can be troublesome to track and monitor locally.
For many businesses and affected organizations, the first clue of mining activity will be a significant slowdown in computer performance, as processor cycles are directed towards mining activities, and away from core tasks. Clearly, intelligent attackers know that this can be an obvious calling-card, so will throttle their own malware’s activities to a small percentage of overall machine capability – say, 20 percent.
This level of effect can be difficult to pinpoint, therefore, due to variations in demand on- and off-peak, and extraneous overheads which might include backups, system maintenance or updates, or factors which cause slowdowns but are not caused by compromised systems, such as routing problems.
Cryptojacking remains a popular choice for hackers, due to the cost of cryptocurrency mining. In fact, a recent paper in Nature has highlighted that Bitcoin mining costs are now higher, dollar-for-dollar, than aluminum, copper, gold and platinum.
One dollar’s worth of Bitcoin mining uses approximately 17 megajoules of energy to mine, paid for in electricity and infrastructure costs. This is compared with four, five and seven megajoules for copper, gold and platinum, respectively.
The paper, which presents the results of research by the Oak Ridge Institute in Cincinnati, also states that some mining activities are more damaging, ecologically than others.
“Any cryptocurrency mined in China would generate four times the amount of CO2 compared to the amount generated in Canada,” the researchers stated.