by peter


Cryptomining Attack Explained


Risk Rating: MEDIUM
Likelihood: 2/5
Impact: 3/5


  • Lack of good quality firewall rules
  • Lack of monitoring
  • Poor coding leading to exploitable vulnerabilities

Cryptomining Attack Overview

Cryptomining Attacks use exploitable vulnerabilities on systems to deploy malware onto the vulnerable systems. The malware co-opts the target’s computing resources in order to mine cryptocurrencies like bitcoin. This malware uses a systems CPU and sometimes GPU to perform complex mathematical calculations that result in long alphanumeric strings called hashes.

What you need to know about Cryptomining Attack

Cryptomining is an intentionally difficult, resource-intensive business. Its complexity was designed to ensure that the number of blocks mined each day would remain steady. So it’s par for the course that ambitious yet unscrupulous miners make amassing the computing power of large enterprises — a practice known as cryptojacking — a top priority.

The common tell that indicates a cryptomining attack has been successful is a significant decrease in the performance of a system or systems. As the cryptomining client runs, it is going to consume 100% of the available CPU process and occasionally the GPU. Where the GPU is hit, the main issue experienced will be significant overheating of the system

The best defense against cryptomining attacks is authenticated vulnerability scanning to identify vulnerabilities and then regular and rapid patching. The Cyber Essentials standard states that patching should be conducted within 14 days of a patch being released, as we agree.

Detection is simple. If you have a well established monitoring program or are using a SOC, then they will detected the malware as a last resort. They should also be informing you in good time of vulnerabilities present in the environment.

How a cryptomining attack happens

Cryptojacking attacks have attracted an increasing amount of media attention since its explosion in popularity in the fall of 2017. The attacks have moved from in-browser exploits and mobile phones to enterprise cloud services, such as Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure. It’s difficult to determine exactly how widespread the practice has become, since bad actors continually evolve their ability to evade detection, including employing unlisted endpoints, moderating their CPU usage, and hiding the mining pool’s IP address behind a free content delivery network (CDN). When malicious miners appropriate a cloud instance, often spinning up hundreds of new instances, the costs can become astronomical for the account holder. So it is critical to monitor your systems for suspicious activities that could indicate that your network has been infiltrated.

Cryptomining Attack Sources

Because cryptocurrency is a global commodity, cryptomining attacks can originate from anywhere. Instead of focusing on where the attacks come from, it is key to monitor cloud computing instances for activities related to cryptojacking and cryptomining, such as new cloud instances that originate from previously unseen regions, users who launch an abnormally high numbers of instances, or compute instances started by previously unseen users.