Miners in your office

Cybercriminals may use your resources for cryptocurrency mining. How you can prevent it.

As you may have heard, mining on your own resources is not the most profitable business. It is risky to invest in home mining farms, and no one really wants to pay for the electricity. Therefore, mining adepts increasingly try to use someone else’s equipment for it.

The damage from their actions is obvious. First, the equipment overheats, and therefore breaks down faster. Second, constant lags slow business processes. Finally, why should you pay someone else’s electricity bills?

Methods of mining on someone else’s equipment

Let’s leave aside for the moment extreme incidents such as the recent one in China in which a local resident laid a cable along the floor of fishponds and stole electricity for mining directly from an oil-producing plant. Yes, that’s a problem, but it’s in the realm of physical security, not informational. Without going into details on the specific tools, miners employ one of three methods to reappropriate resources for cryptomining:

Web mining

All attackers need to do to rope in your resources is run a malicious process in your browser, so Web mining is naturally quite widespread. Usually the crooks inject malicious scripts into frequently visited sites or into advertisement banners and then use computer resources for their own enrichment.

It is unlikely that someone will use Web mining against a particular company. However, your employees can go to a benign website and unwittingly provide attackers with the means to access your resources. Last year, for example, advertising banners with mining scripts were spotted on YouTube.

Malicious mining

A malware infection is hardly news, these days. Except this time, the intruders aren’t encrypting or stealing data, just quietly mining cryptocurrency. And with the only indicator being a drop in computer performance, the infection can remain hidden for a long time.

The means of infection are standard: phishing e-mails and links, software vulnerabilities, and so on. Sometimes attackers infect servers, which increases their profits (and your losses). Sometimes they manage to infect information kiosks and electronic scoreboards, where miners can work for years without attracting any attention.

Insider mining

Miners working from within are the most dangerous. Unscrupulous employees can deliberately install and launch mining programs on your equipment. It is dangerous, first of all, because it’s hard for software to automatically categorize such a process as malicious. After all, a legitimate user started it manually.

Of course, for cybercriminal the safest way is to launch a miner in the network of a small company, where it is less likely to be noticed). However, even government organizations can suffer from the actions of such intruders. A month ago, a government employee was convicted in Australia for taking advantage of his official position to use government computing systems for mining.

How to spot mining?

The first symptom is lags. If a computer’s resources are occupied by cryptomining, then other processes will work significantly slower than they should. As indicators go, this one is quite subjective. Machines have differing speeds naturally, but with a cryptominer installed, the sudden drop in performance should be noticeable.

The second is temperature. Overloaded processors emit significantly more heat, so cooling systems start to make more noise. If the fans in your computers suddenly begin to whir more noisily than usual, that may be a sign.

However, the safest method is to install a security solution that can accurately determine whether someone is mining on your equipment.

How to save your resources from miners?

A reliable instrument for help against all three methods is Kaspersky Endpoint Security for Business. The Web control subsystem will reveal the miner on the opened website, and the technologies we use to detect and counter malware will not allow cybercriminals to install a mining Trojan. Insider mining is a bit more complicated — administrator intervention is required.

Because applications of this class are not necessarily malicious, they are categorized as “potentially unwanted.” Therefore, the admin will have to prohibit the use of potentially dangerous software at the company level and add necessary tools (such as remote access tools) as exceptions.