How to protect your endpoints from “creepy crypto miners”

Here’s what’s creepy about cryptocurrency mining threats. It can lead to the slow death of your computers – capable of literally melting smartphones in some cases – by overworking the CPU beyond its normal capacity. It can trigger massive spikes in your electric bill. It is capable of taking productivity (even mission-critical operations) down to a tailspin as system performance gets extensively degraded. It can compromise the security of sensitive data on your systems. Worse, all of these can go on unnoticed for long periods of time. Your endpoints are at risk. So, the question then becomes, “How do you protect them from the crippling effects of unwanted cryptocurrency mining (crypto mining)?”


The Threat of Illicit Crypto Mining

Money Matters When It Comes to Crypto Mining

For cybercriminals, what’s not to like about crypto mining? Unlike ransomware, it is stealthier and can be harder to detect – without all the hassle of demanding ransoms. Besides, a steady revenue stream can be extremely promising, especially when thousands of systems are pooled together. Here’s how.

When mining for cryptocurrency, the average personal device can generate about $0.25 a day. Not a lot until you start pooling systems together, then your money-making potential skyrockets fast. Your gain rises drastically more when hash rate – the speed at which a given mining machine operates – and power consumption surge. In one campaign seen by Cisco Talos, an attacker was generating about $704 daily or $257,000/year using exploited endpoints. Five other related illicit campaigns were spotted at the same time, collectively amassing over $1 million. With illicit crypto mining,­­­ churning real profits without the messy maintenance typically found in other forms of cybercrimes, you can bet we are going to see more in the future.

Attack Vectors: How Malicious Crypto Mining Can Get Onto Your Endpoints

Threats from crypto mining can reach your end users in multiple ways, including: email spam campaigns, exploit kits and rouge browser content/extensions. These real-life accounts of activities associated with cryptocurrency mining show you where to keep a watchful eye on:

  • Email. An attacker launched an email campaign spoofing a job application. The email contained a Word document appearing to be a resume, enticing the receiver to enable macro content. Doing so triggers the download of the Monero miner.
  • Exploits. Malicious crypto mining activities were seen leveraging vulnerabilities in technologies like Adobe Flash, while others use malware delivery channels like smokeloader, a part of the RIG The significance of this exploit is its ability to run for months (if not years) on infected systems. Further, if an exploit has already been exposed why not use it? Case and point, EternalBlue, used to exploit vulnerabilities in SMB for the well-known Ransomware campaign WannaCry, is now being used to launch illicit crypto mining processes.
  • Fileless and other modes. Attackers resort to other infection vehicles like code injection by exploiting browser plug-in vulnerabilities, trusted system processes, and websites that embed JavaScript. This allows for crypto mining in the web browser.


Prevention, Detection, and Response

Don’t Be a Victim: Three Ways to Protect Your Endpoints

Attackers go after various targets, using different methods of infection. So, make sure to guard against crypto mining threats targeting vulnerable devices. Use practices and tools to help you prevent, detect, and respond to unwanted crypto mining at the endpoints.

Prevent: Block Crypto Mining Threats

With computing resources as a valued target, crypto mining attacks ultimately creep onto the endpoint where those treasured assets are hosted. Therefore, blo­­­cking and preventing those hard to spot crypto mining threats before they get to your endpoints is essential. You can do this by leveraging various preventative engines beyond traditional signature-based antivirus, and applying advanced capabilities like fileless/in-memory exploit prevention, and advanced sandboxing to name a few.

Detect: Continuously Monitor for Malicious Crypto Miners

We know that threats and attacks can’t be prevented 100% of the time. So, it’s important to have visibility into what happens after a file has successfully entered your business environment. You can do this by continuously monitoring and analyzing file, process, and command line activity on the endpoint. This is where the ability to correlate disparate events and send alerts when crypto mining activity is detected becomes crucial. Alerts must be correlated and triggered based on behavior related to propagation as an attacker (or the payload) tries to move through the network, establishing persistence, and making outbound connections to the cryptominer’s infrastructure.

Respond: Stop the Threat at Its Tracks

When the presence of unwanted cryptominers is detected on your endpoints, responding rapidly to contain the threat becomes imperative. Here’s when you need your threat responses to be automated, blocking malicious connections emanating from all endpoints. This surgical approach to containing illicit crypto mining minimizes any associated collateral damage to the business.


How Cisco Can Help Protect Your Endpoints From Crypto Mining Threats

When you’re up against malicious cryptocurrency mining, traditional protection doesn’t cut it. Cisco’s next-generation endpoint security solution, AMP for Endpoints, prevents, detects and responds to malicious crypto mining and other threats that legacy solutions miss. For years, AMP for Endpoints has been scanning and blocking files at the point of entry, running every file through multiple layers of protection and detection engines – employing more advanced techniques like behavior-based detection, dynamic file analysis, machine learning based detection, and exploit prevention to name a few – to stop the plethora of threats.

However, as threats evolve and get even more clever, some of them evade these safeguards. Uniquely fit for this challenge, AMP for Endpoints is continuously monitoring files on your endpoints. If and when that file begins to show suspicious behavior, like in the case of malicious crypto mining activity, AMP for Endpoints will not only retrospectively quarantine the offending files but will deliver the full history of the threat, showing you exactly how the file got in, all the places it has been, and every account of all of its activities – automatically!  AMP for Endpoints does the heavy lifting on your behalf. It automatically delivers a comprehensive account and detailed timeline of the threat fast, drastically slashing the time that you would usually burn investigating a threat and applying remedies to affected systems. Intelligence gained from this threat is shared with the AMP cloud, updating all other Cisco security products within your environment. This distinctive approach allows you to see a threat once, and automatically block it in all places.

Get started for FREE today with Cisco AMP for Endpoints to stop unwanted crypto mining at its tracks – with a NSS Labs recommended next generation endpoint security solution.



Gedeon Hombrebueno

Product Marketing

Endpoint Security