Over on Naked Security they have an article Have federal nuclear supercomputer? GO CRYPTOMINING! that briefly (yes, you have to wade through a bit of nastalgia to get to the actual story in the last paragraph) outlines that some Russian scientists were using a nuclear supercomputer to mine cryptocurrency. While that is shocking in and of itself, I think the more shocking comment by the author is:
“To be fair, there isn’t much of a downside, as long as you ignore:
- The unbudgeted operating expenses from powering computers to work for someone else.
- The opportunity costs because legitimate works gets slowed down.
- The security risks from who-knows-what untrusted programs and network connections.
- The reputational and regulatory costs of reporting, investigating and explaining the intrusion.”
I’ll give the author the benefit of the doubt and assume this was a tongue-in-cheek comment. But really, there is nothing but downside to this type of activity, and it’s only going to get more prevalent as applications get easier to deploy and more plentiful. There are multiple methods for loading up such capabilities (scripts, executables, local and remote-based,etc) so where to begin with trying to mitigate against this threat (and have no doubt, foreign unauthorized apps/scripts running on your critical servers is a threat).
Data Loss Prevention (DLP) with white listing seems like a good place to start. Only authorized applications are allowed to run within the environment. This generally takes a strong knowledge of your environment though and the ability to lock things down pretty hard, so starting off with a blacklist using known hashes seems like a much easier beginning. The downside of course is that you don’t know what you don’t know so you will have to be constantly inventorying the network to determine what is out there (which you should be doing anyway, now you have some action you can take with all that data).
Some of these programs require Admin access to install, so a stronger logging and monitoring of what the Admins are doing is also recommended (and again, should have been done anyway as part of a best practice Information Security program).
Finally (but only because I want to limit the length of this post, not because this is the only other action you can take), user education and policy. You see, while there are thousands of vendors who will sell you some very good products to limit this sort of activity if you don’t set a baseline policy and tell your users
that they shouldn’t be doing this and then educate them on what risks they are imposing on the organization, many of those tools will simply be bypassed much like this very useless gate that we’ve all seen before.
Cryptomining on equipment not owned by the user (whether its the user’s company’s equipment, or some remote hijack) is likely to move up the list of IT Security concerns in 2018, so if you haven’t already formulated a plan and put controls into place start thinking now about how you are addressing this issue and will continue to address it.