{"id":386871,"date":"2021-12-28T22:46:07","date_gmt":"2021-12-28T19:46:07","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-to-detect-and-defeat-cryptominers-in-your-network-cloudsavvy-it\/"},"modified":"2021-12-28T22:46:07","modified_gmt":"2021-12-28T19:46:07","slug":"how-to-detect-and-defeat-cryptominers-in-your-network-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-to-detect-and-defeat-cryptominers-in-your-network-cloudsavvy-it\/","title":{"rendered":"#How to Detect and Defeat Cryptominers in Your Network \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a249658a675c\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a249658a675c\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-detect-and-defeat-cryptominers-in-your-network-cloudsavvy-it\/#Cryptocurrencies_and_the_Need_to_Mine\" >Cryptocurrencies and the Need to Mine<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-detect-and-defeat-cryptominers-in-your-network-cloudsavvy-it\/#Large-Scale_Mining\" >Large-Scale Mining<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-detect-and-defeat-cryptominers-in-your-network-cloudsavvy-it\/#How_To_Spot_Cryptomining\" >How To Spot Cryptomining<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-detect-and-defeat-cryptominers-in-your-network-cloudsavvy-it\/#Blocking_Cryptomining\" >Blocking Cryptomining<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-detect-and-defeat-cryptominers-in-your-network-cloudsavvy-it\/#As_Usual%E2%80%A6\" >As Usual\u2026<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#How to Detect and Defeat Cryptominers in Your Network \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<figure style=\"width: 1200px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage size-full wp-image-15098\" data-pagespeed-lazy-srcset=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/12\/d9e2f0cd.png?width=398&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 400w, https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/12\/d9e2f0cd.png?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 1200w\" sizes=\"auto, 400w, 1200w\" data-pagespeed-lazy-src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/12\/d9e2f0cd.png?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"1200\" height=\"675\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><figcaption class=\"wp-caption-text\"><span class=\"type:primaryImage imagecredit\"><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.shutterstock.com\/image-photo\/bitcoin-defi-digital-cryptocurrency-symbol-on-772731355\">Chinnapong\/Shutterstock<\/a><\/span><\/figcaption><\/figure>\n<p>Mining for cryptocurrency isn\u2019t illegal. But using a computer or network to do so without permission is. Here\u2019s how to tell if someone is cryptojacking your resources for their own benefit.<\/p>\n<h2 id=\"cryptocurrencies-and-the-need-to-mine\"><span class=\"ez-toc-section\" id=\"Cryptocurrencies_and_the_Need_to_Mine\"><\/span>Cryptocurrencies and the Need to Mine<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The virtual tokens that cryptocurrencies use as coins are minted when a large number of very complex mathematical problems have been solved. The computational effort required to solve these problems is enormous.<\/p>\n<p>It\u2019s a collaborative effort, with many computers linked together to form a distributed processing platform called a pool. Solving the mathematical problems\u2014or contributing to their solution\u2014is called mining. Recording transactions made with the cryptocurrency such as purchases and payments also requires mining. The reward for mining is a small amount of the cryptocurrency.<\/p>\n<p>As time goes by it becomes harder to mint new coins. Each cryptocurrency will mint a predetermined number of coins over the life of the currency. As more and more coins are created, and fewer new coins are left to create, the effort required to mine and mint new coins increases. Long gone are the days when it was possible to make money by cryptomining on a small scale. The amount of electricity you use wipes out your small cryptocurrency profit.<\/p>\n<p>Profitable cryptomining requires specialist rigs and even entire farms of machines. The hardware costs must be recouped and the running costs permanently offset, so even then it isn\u2019t all free money. Unless of course, you\u2019re using someone else\u2019s computing resources to perform your mining. Using someone else\u2019s IT resources without permission is a crime, but that\u2019s no deterrent to the cybercriminals.<\/p>\n<p>Using phishing attacks or infected websites they can easily install cryptomining malware without your knowledge, and poach your electrical power and CPU cycles. Another way they cryptomine on your dime is to infect websites so that visitors\u2019 browsers join a cryptomining pool and run Java<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">Script<\/a> cryptomining scripts. Whichever method the threat actors employ, it\u2019s called cryptojacking and it lets them make a profit while you face higher utility bills and reduced performance.<\/p>\n<p>Because they try compromise as many computers as possible across as many organizations as possible, their pool of computers becomes large and powerful. That power means they can materially contribute to the mining processes and get rewarded.<\/p>\n<p><strong>RELATED:<\/strong> <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.howtogeek.com\/211694\/cryptocurrency-miners-explained-why-you-dont-want-this-junk-on-your-pc\/\"><strong><em>Cryptocurrency Miners Explained: Why You Really Don&#8217;t Want This Junk on Your PC<\/em><\/strong><\/a><\/p>\n<h2 id=\"large-scale-mining\"><span class=\"ez-toc-section\" id=\"Large-Scale_Mining\"><\/span>Large-Scale Mining<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Cryptomining has even been used by Advanced Persistent Threat groups and other state-sponsored threat actors. Microsoft has <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/click.linksynergy.com\/deeplink?id=2QzUaswX1as&amp;mid=24542&amp;u1=csit\/15087&amp;murl=https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2020%2F11%2F30%2Fthreat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them%2F\">described in a security blog<\/a> how one state-sponsored cyber-espionage group has added cryptojacking to their usual forms of cybercriminal activity.<\/p>\n<p>They have conducted wide-spread attacks in France and Vietnam, deploying cryptominers to mine the popular cryptocurrency Monero. Mining cryptocurrency on a huge scale like this guarantees it will be profitable.<\/p>\n<h2 id=\"how-to-spot-cryptomining\"><span class=\"ez-toc-section\" id=\"How_To_Spot_Cryptomining\"><\/span>How To Spot Cryptomining<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>If you or your users notice a drop in performance of computers or servers, and those machines have a constant high CPU load and fan activity, that might be an indication that cryptojacking is taking place.<\/p>\n<p>Sometimes poorly-written and badly-tested operating system or application patches can have adverse effects that share the same symptoms. But if you\u2019re seeing a sudden, widespread number of affected computers and there haven\u2019t been any scheduled patches rolled out, its likely to be cryptojacking.<\/p>\n<p>Some of the smarter cryptojacking software limits its CPU load when it notices a certain threshold of legitimate user activity. This makes it harder to spot, but it also introduces a new indicator. If the CPU and fans go higher when nothing or very little is happening on the computer\u2014the exact opposite of what you\u2019d expect\u2014then it is likely to be cryptojacking.<\/p>\n<p>Cryptojacking software can also attempt to blend in by pretending to be a process that belongs to a legitimate application. They can use techniques such as DLL sideloading where a malicious DLL replaces a legitimate DLL. The DLL is called by a\u00a0<em>bone fide<\/em>\u00a0application when it launches, or a <em>doppelg\u00e4nger<\/em> application that has been downloaded behind the scenes.<\/p>\n<p>Once it is called, the fraudulent DLL launches a cryptomining process. If the high CPU load is noticed and investigated, it appears that a legitimate application is misbehaving and performing in an adverse fashion.<\/p>\n<p>With such measures being taken by the malware authors, how can you recognize cryptojacking for what it is, and not mistake it as an errant but \u201cnormal\u201d application?<\/p>\n<p>One way is to review logs from network devices such as firewalls, DNS servers, and proxy servers and look for connections to known cryptomining pools. Obtain lists of connections that cryptominers use, and block them. For example, these patterns will block the majority of Monero cryptomining pools:<\/p>\n<ul>\n<li>*xmr.*<\/li>\n<li>*pool.com<\/li>\n<li>*pool.org<\/li>\n<li>pool.*<\/li>\n<\/ul>\n<p>The obverse of this tactic is to limit your external connections to known, good endpoints but with a cloud-centric infrastructure that is significantly harder. It\u2019s not impossible, but will require constant review and maintenance to make sure legitimate assets are not blocked.<\/p>\n<p>Cloud providers can make changes that impact how they are seen from the outside world. Microsoft helpfully maintain a list of all the\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/click.linksynergy.com\/deeplink?id=2QzUaswX1as&amp;mid=24542&amp;u1=csit\/15087&amp;murl=https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D56519\">Azure IP address ranges<\/a>, which it updates weekly. Not all cloud providers are so organized or considerate.<\/p>\n<h2 id=\"blocking-cryptomining\"><span class=\"ez-toc-section\" id=\"Blocking_Cryptomining\"><\/span>Blocking Cryptomining<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Most popular browsers support extensions that can block cryptomining in the web browser. Some ad-blockers have the ability to detect and stop JavaScript cryptomining processes from executing.<\/p>\n<p>Microsoft is experimenting with a new feature in their Edge browser, code-named the\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/microsoftedge.github.io\/edgevr\/posts\/Super-Duper-Secure-Mode\/\">Super Duper Secure Mode<\/a>. This shrinks the browser\u2019s attack surface hugely by completely turning off the Just in Time compilation within the V8 JavaScript engine.<\/p>\n<p>This slows down performance\u2014on paper at least\u2014but removes a considerable layer of complexity from the browser. Complexity is where bugs slip in. And bugs lead to vulnerabilities that, when exploited, lead to compromised systems. Many testers are reporting no noticeable slow-down in their use of the test release versions of Edge. Your mileage may vary, of course. If you habitually use very intensive web-apps, you\u2019d likely see some sluggishness. But most people would choose security over small performance gains every time.<\/p>\n<h2 id=\"as-usual\"><span class=\"ez-toc-section\" id=\"As_Usual%E2%80%A6\"><\/span>As Usual\u2026<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Prevention is better than cure. Good cyber hygiene starts with education. Make sure your staff can recognize typical phishing attack techniques and tell-tale signs. Make sure they feel comfortable raising concerns and encourage them to report suspicious communications, attachments, or system behaviors.<\/p>\n<p>Always use two-factor or multi-factor authentication where available.<\/p>\n<p>Award network privileges using the principle of least-privilege. Allocate privileges so that individuals have the access and freedom to perform their role and no more.<\/p>\n<p>Implement email filtering to block phishing emails and emails with suspicious characteristics, such as spoofed from addresses. Different systems have different capabilities of course. If your email platform can check links in email body texts before the user can click them, so much the better.<\/p>\n<p>Check your firewall, proxy, and DNS logs and look for inexplicable connections. Automated tools can help with this. Block access to known cryptomining pools.<\/p>\n<p>Prevent the automatic execution of macros and installation processes.<\/p>\n<p>\u00a0\n<\/p><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/15087\/how-to-detect-and-defeat-cryptominers-in-your-network\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#How to Detect and Defeat Cryptominers in Your Network \u2013 CloudSavvy IT&#8221; Chinnapong\/Shutterstock Mining for cryptocurrency isn\u2019t illegal. But using a computer or network to do so without permission is. Here\u2019s how to tell if someone is cryptojacking your resources for their own benefit. Cryptocurrencies and the Need to Mine The virtual tokens that cryptocurrencies&#8230;<\/p>\n","protected":false},"author":1,"featured_media":386872,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/12\/d9e2f0cd.png","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-386871","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/386871","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=386871"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/386871\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/386872"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=386871"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=386871"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=386871"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}