Cryptominer malware is stealthy and drags down network and device performance. Some simple tasks and basic tools can minimize its impact. Credit: Romanovskyy / Getty Images A friend recently traveled to Iceland and came back with the knowledge that the country is a key hub for Bitcoin mining due to its cheap thermal energy source. Your computer or your network’s computers could also be an ideal spot for cryptomining. I know of individuals who were found to be running cryptomining software on customers’ machines in violation of firm’s practices.Cryptomining is the process of creating cryptocurrency units. Many of the popular cryptocurrencies are mathematical problems that creates units of currency. CPU cycles turn into money. This process is legal, but criminal cryptomining uses the power and CPU cycles of machines that they hijack to earn money.Cryptojacking occurs when a malicious actor hijacks systems via web servers and web browsers. Malicious JavaScript is typically injected or planted into web servers so that when users visit a web page their browsers become infected, turning their computers into cryptominers. Can you detect and protect yourself from this activity? Absolutely. Let’s start with the more passive ways to spot cryptominers on your network. Monitor network performanceFirst, review performance of systems on your network. End users might notice excessive CPU usage, changes in temperature, or faster fan speeds and report them to IT. This can be a symptom of improperly coded business applications, but it also can indicate hidden malware on systems. Set baselines of your systems to better spot anomalies in your systems.Don’t rely on performance anomalies alone to identify impacted systems. Recent incidents have shown that attackers are limiting CPU demand on systems to hide their impact. For example, a recent Microsoft Digital Defense Report noted the activities of Vietnamese threat group BISMUTH, which targeted private sector and government institutions in France and Vietnam. “Because cryptocurrency miners tend to be seen as lower-priority threats by security systems, BISMUTH was able to take advantage of the smaller alert profile caused by their malware to slip into systems unnoticed.” As Microsoft noted in a blog post, BISMUTH avoided detection by “blending in” with normal network activity. Review logs for unauthorized connectionsHow do you detect such stealthy malicious actors besides a misbehaving computer? Review your firewall and proxy logs for connections they are making. Preferably, you should know exactly what locations and Internet addresses firm resources are authorized to connect to. If this process is too cumbersome, at least review firewall logs and block known cryptominer locations.A recent Nextron blog post indicates the typical cryptomining pools that they’ve seen in use. You can review firewall or DNS servers to see if you are impacted. Review your logs for patterns that include *xmr.* *pool.com *pool.org and pool.* to see if anyone or anything is misusing your network. If you have a network that is highly sensitive, limit connections to only those IP locations and addresses that are needed for your network. In this age of cloud computing, this can be hard to determine. Even following IP addresses that Microsoft uses can be hard to keep up with. For example, you may need to adjust the list of authorized IP addresses when Microsoft adds new ranges for its Azure data centers.Use cryptominer-blocking browser extensionsSome browser extensions will monitor for and block cryptominers. The No Coin and MinerBlocker solutions, for example, monitor for suspicious activity and block attacks. Both have extensions available for Chrome, Opera and Firefox. Alternatively, you can block JavaScript from running in your browser as malicious JavaScript applications are delivered through banner ads and other website manipulation techniques. Investigate if blocking JavaScript can be done in your organization, because it may have detrimental impact to some websites that you need for business reasons.Consider Edge’s Super-Duper Secure ModeEdge is testing what Microsoft calls Super-Duper Secure Mode. It improves Edge’s security by disabling just-in-time (JIT) compilation in the V8 JavaScript engine. Microsoft says bugs in JavaScript inside modern browsers are the most common vector for attackers. CVE data from 2019 shows that approximately 45% of attacks on V8 relate to JIT.Disabling JIT compilation does impact performance, and tests conducted by the Microsoft Browser Vulnerability Research showed some regressions. JavaScript benchmarks such as Speedometer 2.0 showed a significant decline of up to 58%. Despite that, Microsoft says users do not notice the performance decrease because that benchmark “tells only part of a larger story” and users rarely notice a difference in their daily use.”Look at cryptomining from a standpoint of external as well as insider threats. Your network or, if you’re a managed service provider, your clients’ networks might be a temptation that internal users wanting to mine cryptocurrency are not be willing to pass up. Review your options to proactively protect yourself from potential for attacks. Related content news Iranian hackers harvest credentials through advanced social engineering campaigns Mandiant observed several malicious campaigns with threat actors impersonating journalists and harvesting the victim’s cloud environment credentials. By Shweta Sharma May 02, 2024 4 mins Hacker Groups Social Engineering news Dropbox Sign hack exposed user data, raises security concerns for e-sign industry The names and email addresses of those customers were also exposed who had never created an account with Dropbox Sign but had “received or signed a document through Dropbox Sign.” By Gyana Swain May 02, 2024 5 mins Data Breach news UnitedHealth hack may impact a third of US citizens: CEO testimony Despite paying a $22 million ransom in Bitcoin to regain access to encrypted files, the company cannot confirm whether copies of the data were made or published online. By Prasanth Aby Thomas May 02, 2024 4 mins Data Breach Ransomware Hacking news Most interesting products to see at RSAC 2024 Tools, platforms, and services that the CSO team recommends 2024 RSA Conference attendees check out. By CSO Staff May 02, 2024 6 mins RSA Conference Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe