Before we start down the defensive recommendation path, it is necessary to establish a definition of the topic to be discussed. Our Global Threat Intelligence Center (GTIC) has established the following definition for Coin Mining Malware (CMM):
“Coin mining malware is any software, code, or script unknowingly used by a user or machine to mine cryptocurrency for another party.” – GTIC
If you are reading this with cartoon question marks over your head or just want to brush up on CMM, GTIC analyst Terrance DeJesus wrote a great blog on the rising popularity of malicious coin mining that introduces both the topic and the more in-depth GTIC Monero Mining Malware Report. Alternatively, if you know about CMM and are ready to start protecting your devices, consider the following key defenses against CMM risks:
Leverage Open-Source, Vetted Browser Extensions
The open-source community frequently steps up when there is an issue, real or perceived. CMM is turning into a perfect example. While malicious actors are figuring out how to exploit others for income, several projects have cropped up to automate blacklist updates and block web-based cryptojacking activity, such as MinerBlock and NoCoin.
Maintain Situational Awareness of the Latest Threats and Implement Appropriate ACLs
You appear to be working on the first, or you wouldn’t be here reading a security blog. The second is fairly easy in this instance. Despite the fluctuating cryptocurrency mining environment, some intelligence feeds indicate they are incorporating this information and the open-source community is actively maintaining several lists, such as CoinBlockerLists and uBlockOrigin’s Abuse List.
Install and Update Endpoint Security
Depending on the source looked at, modern anti-malware solutions detect between 19-70% of malware, with most reports trending lower. That said, I still find it a worthwhile layer in a tasty security cake. Catching anything is better than nothing, especially when multiple vendors have stated they now block CMM activity in the browser, from signatures, and heuristically.
Implement Remote Browser Isolation (RBI)
If you haven’t looked it up yet, RBI is one of the key buzz-phrases going into this year. The basic concept is to generate virtual browser containers inside your DMZ or the cloud. Users interact with these containers remotely and transparently. The endpoint is protected by never coming into direct contact with the browsing session. The container is destroyed at the end of the session. Although it’s foundation has the potential to eliminate, reduce or assign many of the risks associated with the user browsing session, it can also open new vulnerable points. A proper risk analysis will be able to determine the best path for your organization.
As always, remember that a defense-in-depth or layered approach to security is the best practice. No single control will provide undefeatable security. This is especially true with an evolving threat like CMM. While it should not be considered all inclusive, I would be remiss if I failed to provide the following list of basic controls that should ideally be in place as well:
- Keep operating systems patched and up to date. All of them. Even the legacy server hidden in a closet somewhere. Second thought, remove this one entirely!
- Disable unnecessary services on workstations and servers. Monitor for activity on unusual ports. This will have the added benefit of shutting down third shift’s private gaming servers.
- Enforce a strong password policy and implement regular password changes. Go one step further and implement multi-factor authentication.
- Restrict user permissions to prevent installation of unauthorized software applications.
- Exercising caution when opening email attachments, even if the sender appears to be known.
- Restrict the use of and exercise caution when using removable media. Especially the flash drive you found in the parking lot. Just sanitize and dispose of it with the hidden-closet server.
- Monitor and update web filtering tools, preventing access to unfavorable content.
- Leverage mobile device management (MDM) solutions to mitigate some of the risk associated with BYOD.
CMM may appear innocuous, but it has the potential for real-world consequences. Fortunately, there are straightforward steps to take to defend a host or network from this risk that is unlikely to disappear any time in the near future.
Stay safe. Stay curious.