Exabeam’s research report details the latest insider threat, plus how to detect and combat it
Exabeam’s newly released research looks inside the hidden world of cryptocurrency mining by malicious insiders. The report also provides recommendations on what organizations can do to protect themselves from such shadow mining.
What is crypto mining?
The Lehman Brothers bankruptcy in the fall of 2008 triggered economic turmoil and a global great recession few of us will forget. It also spawned a too big to fail policy that governments used to justify the bailout of banks. This appears to have motivated the development of an innovation that was proposed as an alternative to an unstable banking system.
It was a distributed, non-state-controlled digital exchange, and store of value that was based on computing and cryptography—a cryptocurrency. It needed no banks as intermediaries.
In fact, when the mysterious person or persons known as Satoshi Nakamoto authored the white paper on this novel concept, developed bitcoin, and created the first blockchain, they created a genesis block. And in that first block, Nakamoto left a backward message (à la the Beatles) quoting the day’s headline in The Times regarding bank bailouts.
Nakamoto also left an interesting challenge in the protocol of the original reference implementation of the bitcoin blockchain. Accordingly, every bitcoin beyond the 50 unspendable coins in that first block would come from mining.
There are two ways you can obtain cryptocurrencies: They can be purchased using actual fiat currency through a digital transaction on a cryptocurrency exchange. Or, they can be received as newly minted bitcoins dispersed to miners per the blockchain software protocol.
Essentially, miners are rewarded in cryptocurrency tokens by validating transactions on the distributed blockchain ledger. Such validation is necessary to ensure a bitcoin transaction occurs only once, as well as to prevent attempts to change any transaction in the digital ledger (the blockchain).
Validation involves computing a cryptographic hash of all the transactions in a block (a collection of transactions), coupled with performing a computational task. Once verified, cryptocurrency transactions are extremely resilient to tampering, as manipulating any transaction affects the entire block. And altering any block affects the entire blockchain. This makes a transaction a permanent part of the distributed blockchain ledger.
This sounds complicated, and it is. So complicated, in fact, that miners must produce millions of guesses to determine the correct answer in validating a transaction block. And that requires enormous computing power. The urgency to get it done further adds to the compute power needed: they must work quickly because the first miner to get the correct answers wins the Bitcoins.
A persistent and deeply hidden insider threat
This is where a new form of insider threat arises. At the time of this writing, a single Bitcoin trades for approximately USD$4,000, which makes mining it potentially very profitable. A single block yields a reward of 12.5 Bitcoin, or about $50,000.
But while this sounds like easy money, miners face a major hurdle to turning a profit. The cost of the computing power, including electricity, needed to make all those guesses and validate transactions to receive Bitcoin is steep.
Attracted by the potential for big profits, unscrupulous insiders have devised schemes to hijack IT resources of their organizations (and individual users’ machines), using them for illicit cryptocurrency mining. After all, it’s easier to make a profit when you have both free infrastructure and electricity.
For example, system administrators or operational security staff could secretly tap the power of a corporate data center or recruit a small amount of computing power from a number of users’ systems. Or a hacker might compromise a privileged user and perform the same activities from outside your organization.
The report cites a number of notable cases that have made the news, such as:
- A US Federal Reserve communications analyst was discovered covertly operating cryptomining for more than two years.
- A National Science Foundation researcher was described as using supercomputers at two universities to mine between $8,000–$10,000 in Bitcoin per month.
Termed shadow mining, such secret cryptomining not only consumes resources and drives up utility bills, but also affects the security of an organization’s entire IT infrastructure.
The Risks and Impact of Shadow Mining
For a shadow mining operator to be successful, they must deploy mining applications, or miners, across many systems. And the miner apps must remain stealthy. Therefore, shadow mining depends on security systems being deliberately misconfigured—truly an insider threat.
Further, since all software contains weak points, installing additional internet-connected applications increases any computer’s attack surface. This makes the enterprise less secure by multiplying attack surfaces, while making affected computers less reliable by introducing software that consumes additional resources.
To make matters worse, countless forum posts, how-to guides, and step-by-step videos inform even the layperson about crypto mining techniques—and methods used for automating it. The barrier to entry has been lowered such that almost anyone can get started.
Since shadow mining is undertaken by trusted insiders, it can be especially difficult to detect. And it can go on for years before it’s discovered.
That said, Exabeam has conducted extensive research on the various ways shadow mining is done. We show that scripts used to enable shadow mining leave telltale artifacts. And using host and network data as input data sources, heuristic and statistical methods for detecting it do exist.
To learn more about those results and recommendations about how to protect your organization, download the full report.