In addition to the global and regional key findings discussed in the 2019 Global Threat Intelligence Report, we focus on several security challenges impacting organizations. One of the challenges discussed, capturing headlines globally, is coin mining: the process of generating cryptocurrency.


The business of coin mining and technologies supporting the capability to generate cryptocurrency continues to evolve. The capabilities to generate cryptocurrency, potential attacks against the cryptocurrency ecosystem, and attack patterns and intrusion sets related to malicious activity are still very much in their infancy. We suspect coin mining activities and the potential impact to organizations are yet to be fully realized.


According to the Cyber Threat Alliance (CTA), an NTT Security strategic partner, in a joint paper with NTT Security and other members, the threat of illicit cryptocurrency mining represents an increasingly common cybersecurity risk for enterprises and individuals, with mining detections increasing 459% between 2017 to 2018.


During our analysis of security events related to coin mining, it was clear organizations in the technology and education sectors were impacted by a significant amount of coin mining activity. The technology sector accounted for 46% of coin mining activity, with the education sector falling not to far behind, accounting for 40%. The combination of these two sectors accounted for 86% of all activity. Following technology and education, the healthcare, business and professional services, and finance sectors accounted for a significantly less portion of the overall attack volume. In fact, the remaining 14% of activity observed was spread across 13 sectors.


The most active coin miners detected during our analysis were XMRig, CoinHive and CoinMiner. XMRig and CoinMiner are host-based miners which focus on generating cryptocurrency directly on systems they are installed on. CoinHive uses JavaScript code implemented on web sites using visitor’s CPU power and may do so with or without the visitor’s approval or knowledge the activity is taking place.


Coin mining attacks often target systems with high-end Graphics Processing Units (GPUs). These are most often found in end-user graphics cards, which are very efficient at processing the mathematical computations required for coin mining. While enterprise class servers may not have the same GPU power available, CPU power and RAM help to close the gap, increasing server viability as coin mining targets.


In our report, we also identify that coin mining is not the only risk in the world of cryptocurrencies. Attacks against cryptocurrency exchanges and personal wallets are also observed globally. For instance, Coincheck and Zaif, Japan based cryptocurrency exchanges, were attacked resulting in the theft of 58 billion JPY (approximately $52.8 million USD) of cryptocurrency in January and 7 billion JPY (approximately $6.3 million USD) in September, respectively. Another lucrative target for attackers are personal cryptocurrency wallets. Xian News in China reported 600 million RMB (approximately $89 million USD) of cryptocurrency was stolen from a personal wallet. 


As the threats and challenges associated with coin mining activities are still evolving it is important to take a proactive approach to mitigating its potential impact. Some recommendations that will be helpful in mitigating impact include:


  • Cryptocurrency and coin mining activities in its basic form is not illegal. However, organizations must quickly identify its policy related to coin mining using organization owned resources.
  • Organizations must update their incident response processes and procedures to ensure they are prepared in the event of an incident. In addition to planning, it is just as important to test your incident response plans to identify potential gaps in your plan and adjust accordingly. 
  • Limit privileged access to resources and segregate network and application environments to minimize impact.
  • Deny the use of specific protocols used coin mining applications.
  • Continue to monitor the development of coin mining capabilities and attack pattern and intrusion sets and implement additional controls where needed.
  • Download a copy of the complete GTIR and Cyber Threat Alliance paper for many more helpful recommendations.


For more information on coin mining, global and regional findings, and other security challenges, please download the report from https://www.nttsecurity.com/landing-pages/2019-gtir 


Read our joint paper with the Cyber Threat Alliance by downloading it at: https://www.cyberthreatalliance.org/wp-content/uploads/2018/09/CTA-Illicit-CryptoMining-Whitepaper.pdf