How to spot and block cryptominers on your network

A friend recently traveled to Iceland and came back with the knowledge that the country is a key hub for Bitcoin mining due to its cheap thermal energy source. Your computer or your network’s computers could also be an ideal spot for cryptomining. I know of individuals who were found to be running cryptomining software on customers’ machines in violation of firm’s practices.

Cryptomining is the process of creating cryptocurrency units. Many of the popular cryptocurrencies are mathematical problems that creates units of currency. CPU cycles turn into money. This process is legal, but criminal cryptomining uses the power and CPU cycles of machines that they hijack to earn money.

Cryptojacking occurs when a malicious actor hijacks systems via web servers and web browsers. Malicious JavaScript is typically injected or planted into web servers so that when users visit a web page their browsers become infected, turning their computers into cryptominers.

Can you detect and protect yourself from this activity? Absolutely. Let’s start with the more passive ways to spot cryptominers on your network.

Monitor network performance

First, review performance of systems on your network. End users might notice excessive CPU usage, changes in temperature, or faster fan speeds and report them to IT. This can be a symptom of improperly coded business applications, but it also can indicate hidden malware on systems. Set baselines of your systems to better spot anomalies in your systems.

Don’t rely on performance anomalies alone to identify impacted systems. Recent incidents have shown that attackers are limiting CPU demand on systems to hide their impact. For example, a recent Microsoft Digital Defense Report noted the activities of Vietnamese threat group BISMUTH, which targeted private sector and government institutions in France and Vietnam. “Because cryptocurrency miners tend to be seen as lower-priority threats by security systems, BISMUTH was able to take advantage of the smaller alert profile caused by their malware to slip into systems unnoticed.” As Microsoft noted in a blog post, BISMUTH avoided detection by “blending in” with normal network activity.

Review logs for unauthorized connections

How do you detect such stealthy malicious actors besides a misbehaving computer? Review your firewall and proxy logs for connections they are making. Preferably, you should know exactly what locations and Internet addresses firm resources are authorized to connect to. If this process is too cumbersome, at least review firewall logs and block known cryptominer locations.

A recent Nextron blog post indicates the typical cryptomining pools that they’ve seen in use. You can review firewall or DNS servers to see if you are impacted. Review your logs for patterns that include *xmr.* *pool.com *pool.org and pool.* to see if anyone or anything is misusing your network. If you have a network that is highly sensitive, limit connections to only those IP locations and addresses that are needed for your network. In this age of cloud computing, this can be hard to determine. Even following IP addresses that Microsoft uses can be hard to keep up with. For example, you may need to adjust the list of authorized IP addresses when Microsoft adds new ranges for its Azure data centers.

Use cryptominer-blocking browser extensions

Some browser extensions will monitor for and block cryptominers. The No Coin and MinerBlocker solutions, for example, monitor for suspicious activity and block attacks. Both have extensions available for Chrome, Opera and Firefox. Alternatively, you can block JavaScript from running in your browser as malicious JavaScript applications are delivered through banner ads and other website manipulation techniques. Investigate if blocking JavaScript can be done in your organization, because it may have detrimental impact to some websites that you need for business reasons.

Consider Edge’s Super-Duper Secure Mode

Edge is testing what Microsoft calls Super-Duper Secure Mode. It improves Edge’s security by disabling just-in-time (JIT) compilation in the V8 JavaScript engine. Microsoft says bugs in JavaScript inside modern browsers are the most common vector for attackers. CVE data from 2019 shows that approximately 45% of attacks on V8 relate to JIT.

Disabling JIT compilation does impact performance, and tests conducted by the Microsoft Browser Vulnerability Research showed some regressions. JavaScript benchmarks such as Speedometer 2.0 showed a significant decline of up to 58%. Despite that, Microsoft says users do not notice the performance decrease because that benchmark “tells only part of a larger story” and users rarely notice a difference in their daily use.”

Look at cryptomining from a standpoint of external as well as insider threats. Your network or, if you’re a managed service provider, your clients’ networks might be a temptation that internal users wanting to mine cryptocurrency are not be willing to pass up. Review your options to proactively protect yourself from potential for attacks.