In the world of healthcare security, there are always new threats to replace the old, keeping IS professionals on their toes and creating the need for improved controls and mitigation strategies to keep both organizations and patients safe. Over the past couple of years, security leaders have spent a lot of time and energy combating the rise of ransomware. Now, that threat is in decline and a new threat is emerging: cryptojacking.
Cryptocurrencies like bitcoin, Monero and others rely on blockchain technology to keep an immutable ledger of all of the transactions that take place, which is an attractive and necessary feature of these digital currencies. The blocks in the ledgers are encrypted, and the necessary mathematical computations require a lot of processing power. Some of these digital currencies will pay for the processing required to build and verify the blockchain, a process called cryptomining.
For willing participants, cryptomining is a way to make money, but because it takes a lot of processing power — and because the cryptocurrency may only pay small amounts for each block of work completed — the ability to do this computation at scale is important.
With cryptojacking, threat actors place cryptomining software on as many computing devices as possible in order to maximize profit. The attackers employ many of the same techniques used to distribute ransomware. If someone has infected 100,000 devices, and each device can generate 25 cents per day, that’s not a bad return for a day of doing nothing.
Cryptomining: A Parasitic Infection That Strangles Productivity
For some, it may seem like a relatively benign attack; after all, a cryptojacker is just using unused processor time. However, organizations not only pay for the energy used by the process, but computing resources can slow down dramatically, overheat or even halt production as a result.
Furthermore, once cryptomining software has been installed on a device, that device is considered compromised. The cryptomining software could even accompany other malware with worse intentions. Think of it as a widely distributed parasitic infection shared by millions, but not everyone is aware of the symptoms.
Healthcare Organizations Should Watch for IT Overload
Because it runs in the background, and ideally when the processor is relatively idle, cryptojacking can be difficult to identify. The most obvious signs of a cryptominer in operation are related to performance (such as unknown processes taking up an unusual amount of CPU time) or excessive heat build-up (which can cause devices to shut down or even fail completely).
Unless an organization is running an application-specific integrated circuit designed for the purpose of cryptomining, CPUs and GPUs will overload if pushed too hard by one of these programs. If enough devices are compromised, an organization will also see its electric bill increase.
Still, more sophisticated attacks manage resources in such a way as to stay undetected. The code is often heavily obfuscated, making it even more difficult to understand what the program is doing.
Spread the Word About Cryptomining
Security awareness programs can serve as a primary vehicle for getting the word out. Because cryptojacking exploits many of the same attack vectors as ransomware, the time an organization has already spent training staff about security issues provides a solid foundation. Remember, however, that cryptojacking, unlike other system attacks, is indifferent to file contents, and its goal is not extortion. Cryptojackers want access to computational resources; that can mean any internet-connected device containing a CPU. Mining software can be installed on IoT devices and network and mobile devices, and can also operate within a company’s browser software.
The National Cybersecurity and Communications Integration Center offers basic advice on how organizations can protect themselves from cryptojacking. While it should go without saying, it’s worth repeating: deploy anti-virus software and firewalls, and keep operating systems patched and up to date. Never install a new device on the network without changing its default password.
Know Your System to Better Detect Infections
Browser-based miners may even be employed by websites as a substitute for advertising. When users visit these sites, their browser is used to mine currency. In a nonpersistent version, mining takes place only while visiting the site; others however, may employ persistence, and continue to use resources even after the user has left the site. Because it’s difficult to detect cryptojacking, the best action an organization can take is to understand what its normal traffic and CPU activity look like. If things slow down, cryptojacking could be involved.
A proactive approach to detection may identify traffic associated with cryptojacking, but that can be tricky too. Unlike ransomware, there is no command and control involved, and the messages exchanged are relatively short. Once inside a system, a cryptominer simply does its job. Periodically — and unpredictably — it needs to retrieve new work units to process, and every once in a while it will send work product back. These mining programs can live undetected on systems for a very long time and depend on stealth to survive.
Defending against cryptojacking will be a growth area for vendors whose specialty is watching for network anomalies. Furthermore, the complexity makes this type of work a great candidate for the application of artificial intelligence. It will be interesting to watch this battle evolve.