2 weeks ago

How to Mitigate the Threat Cryptocurrency Mining Poses to Enterprise Security


The growing popularity of Bitcoin in addition to different cryptocurrencies is usually generating curiosity—in addition to concern—among security specialists. Crypto mining software has been found on user machines, often installed by botnets. Organizations need to understand the risks posed by that will software in addition to what actions, if any, should be taken.

To better advise our readers, we reached out to the security researchers at Cato Networks. Cato provides a cloud-based SD-WAN that will includes FireWall as a Service (FWaaS). Its research team, Cato Research Labs, maintains the company’s Cloud IPS, in addition to today released a list of crypto mining pool addresses that will you can use as a blacklist in your firewall. (To download the list, visit that will page.)

Cato Research Labs determined crypto mining represents a moderate threat to the organization. Immediate disruption of the organization infrastructure or loss of sensitive data is usually not likely to be a direct outcome of crypto mining.

However, there are significant risks of increased facility cost that will must be addressed.

Understanding Blockchain in addition to Crypto Mining

Crypto mining is usually the process of validating cryptocurrency transactions in addition to adding encrypted blocks to the blockchain. Miners solve a hash to establish a valid block, receiving a reward for their efforts. The more blocks mined, the more difficult in addition to resource-intensive becomes solving the hash to mine a completely new block.

Today, the mining process can require years with an off-the-shelf computer. To get around the problem, miners use custom hardware to accelerate the mining process, as well as forming “mining pools” where collections of computers work together to calculate the hash.

The more compute resources contributed to the pool, the greater the chance of mining a completely new block in addition to collecting the reward. the item’s that will search for more compute resources that will have led some miners to exploit enterprise in addition to cloud networks.

Participating in mining pools requires computers run native or JavaScript-based mining software (see Figure 1). Both will use the Stratum protocol to distribute computational tasks among the computers within the mining pool using TCP or HTTP/S (technically, WebSockets over HTTP/S).

Cryptocurrency Mining Threat
Figure 1: An example of a website running JavaScript-based mining software. Typically, websites do not ask for permission.

Native mining software will typically use long-lasting TCP connections, running Stratum over TCP; JavaScript-based software will usually rely on shorter-lived connections in addition to run Stratum over HTTP/S.

The Risk Crypto Mining Poses to the Enterprise

Mining software poses a risk to the organization on two accounts. In all cases, mining software is usually highly compute-intensive, which can slow down an employee’s machine. Running CPUs having a “high-load” for an extended period of time will increase electricity costs in addition to may also shorten the life of the processor or the battery within laptops.

Mining software is usually also being distributed by some botnets. Native mining software accesses the underlying operating system in a way similar to how botnet-delivered malware exploits a victim’s machine. As such, the presence of native mining software may indicate a compromised device.

How To Protect Against Crypto Mining

Cato Research Labs recommends blocking crypto mining on your network. that will can be done by disrupting the process of joining in addition to communicating with the mining pool.

The deep packet inspection (DPI) engine in many firewalls can be used to detect in addition to block Stratum over TCP. Alternatively, you can block the addresses in addition to domains for joining public mining pools.

Approach 1: Blocking Unencrypted Stratum Sessions with DPI

DPI engines can disrupt blockchain communications by blocking Stratum over TCP. Stratum uses a publish/subscribe architecture where servers send messages (publish) to subscribed clients. Blocking the subscription or publishing process will prevent Stratum via operating across the network.

DPI rules should be configured for JSON. Stratum payloads are simple, readable JSON-RPC messages (see Figure 2).

Stratum uses a request/response over JSON-RPC:

Cryptocurrency Mining Threat
Figure 2: Detail of a JSON-RPC batch call (reference: http://www.jsonrpc.org/specification)

A subscription request to join a pool will hold the following entities: id, method, in addition to params (see Figure 3). Configure DPI rules to look for these parameters to block Stratum over unencrypted TCP.

{“id”: 1, “method”: “mining.subscribe”, “params”: []}

Three parameters are used in a subscription request message when joining a pool.

Approach 2: Blocking Public Mining Pool Addresses

However, some mining pools create secure, Stratum channels. that will is usually particularly true for JavaScript-based applications that will often run Stratum over HTTPS.

Detecting Stratum, in that will case, will be difficult for DPI engines who do not decrypt TLS traffic at scale. (For the record, Cato IPS can decrypt TLS sessions at scale.) In those cases, organizations should block the IP addresses in addition to domains that will form the public blockchain pools.

To determine the IP addresses to block, look at the configuration information needed to join a mining pool. Mining software requires miners to fill within the following details:

  • the appropriate pool address (domain or IP)
  • a wallet address to receive equity
  • the password for joining the pool

The configuration information is usually usually passed via JSON or via command-line arguments (see Figure 3).

Cryptocurrency Mining Threat
Figure 3: A JSON file providing the necessary miner pool configuration

Organizations could configure firewall rules to use a blacklist in addition to block the relevant addresses. In theory, such a list should be easy to create as the necessary information is usually publicly available. Most mining pools publish their details over the Internet in order to attract miners to their networks (see Figure 4).

Cryptocurrency Mining Threat
Figure 4: Public addresses for mining pools are well advertised as demonstrated by mineXMR.com’s “Getting started off” page

Despite extensive research, though, Cato Research Labs could not find a reliable feed of mining pool addresses. Without such a list, collecting the target mining pool addresses for blocking could be time-consuming.

the item professionals could be forced to manually enter in public addresses, which will likely change or increase, requiring constant maintenance in addition to updates.

Cato Research Labs Publishes List of Mining Pool Addresses

To address the issue, Cato Research Labs generated its own list of mining pool addresses for use by the greater community. Using Google to identify sites in addition to then employing scraping techniques, Cato researchers were able to extract pool addresses for many mining pools.

Cryptocurrency Mining Threat
Figure 5: Partial list of mining pool addresses compiled by Cato Research Labs

Cato researchers wrote code that will leveraged those results to develop a mining-pool address feed. Today, the list identifies hundreds of pool addresses (see Figure 5) in addition to should be suitable for most DPI rule engines. See here for the full list.

Final Thoughts

The combined risk of impairing devices, increasing costs, in addition to botnet infections led Cato Research Labs to strongly recommend the item prevent in addition to remove crypto mining via enterprise networks.

Should software-mining applications be found on the network, Cato Research Labs strongly recommends investigating active malware infections in addition to cleaning those machines to reduce any risk to organization’s data.

Cato Research Labs provided a list of address that will can be used towards that will goal, blocking access to public blockchain pools. although there’s always a chance of completely new pools or addresses, which is usually why Cato Research Labs strongly recommend constructing rules using a DPI engine with sufficient encrypted-session capacity.

Article Categories:
Security Hacks

Leave a Comment

Your email address will not be published. Required fields are marked *

5 + 6 =