Cisco found cryptomining activity within 69% of customers

More than two-thirds of Cisco customers in 2020 were affected by cryptomining, according to new research.

Cisco released its "Threat Trends: DNS Security" report Thursday, which analyzed malicious DNS activity and threats that occurred between January and December of last year. The report analyzed data from Cisco Umbrella, the company's cloud-based network security platform, and found a majority of organizations had at least some DNS traffic going to malicious sites for phishing (86%), malvertising (70%) and ransomware (50%).

While many threats were analyzed, the report found cryptomining generated the most malicious DNS traffic out of any individual category. When placed inside victims' environments, cryptomining malware abuses computing resources to mine for digital currencies like bitcoin, which can be profitable to threat actors.

"While cryptomining is often favored by bad actors for low-key revenue generation, it's relatively noisy on the DNS side, as it regularly pings mining servers for more work," the report said.

Cisco found enterprises in 2020 were particularly affected by cryptomining, also known as cryptojacking. Austin McBride, Cisco data scientist, told SearchSecurity that cryptomining impacted 69% of organizations.

"As a general rule of thumb, the vast majority of our customers are not in the business of mining as part of their daily business. So, they view all cryptomining in their environment as a drain on resources and a problem that needs to be fixed," he said in an email to SearchSecurity.

The report noted the DNS traffic was a mix of illicit and "legitimate" activity, though Cisco researchers said there is little practical difference between the two.

"It depends on who you ask, but this is generally how we define these different types of traffic: legitimate cryptomining for one of our customers would be mining they do with company resources for the benefit or profit of that company," McBride said. "If the customer does not mine cryptocurrency as part of their daily business activities, then mining on company hardware is considered illicit."

Illicit cryptomining, on the other hand, is "done by an employee or malicious third party for person gain at the expense of the company and its resources."

As far as how much may be legitimate versus illicit, McBride said it's hard to say definitively. Despite the differences, the percentage of impacted customers was high. While that did not come as a surprise to Cisco researchers, McBride said they are surprised that organizations view cryptomining as not being particularly dangerous for enterprise environments. McBride said such attacks come with potentially grave consequences.

"Cryptomining can reduce the life of your hardware, clog your bandwidth, drive up your AWS compute costs, and can be potential indicators of compromise (IOC) waiting to happen," he said. "As for the reason why cryptomining traffic is chatty -- in case of say bitcoin, a miner uses their computing power to verify P2P bitcoin transactions and is rewarded with new Bitcoins proportional to the amount of computing power they donated to the Bitcoin network. This verification process requires a lot of DNS queries to verify the transactions."

Cryptomining malware hasn't evolved significantly in recent years; McBride said generally, the underlying mining protocols for cryptocurrencies do not change very often. However, the way malicious actors choose to infiltrate an environment, set up mining software and mask their activities can change frequently. An example would be making the DNS traffic look like email traffic rather than mining.

"We have also seen malicious actors lead with cryptomining software then use follow-up malware to exploit your environment further," he said.

Cryptomining attacks surged several years ago as the value of bitcoin and other cryptocurrencies greatly increased. For example, in 2018 Kaspersky Lab said corporate networks were the new target of an illicit cryptomining malware that was difficult to detect and eradicate. Kaspersky said the trend was growing and overtaking ransomware as the most popular way for a threat actor to profit. However, in 2020 ransomware dominated the threat landscape, especially when COVID-19 forced work and school to go remote.

McBride said this is just the beginning for cryptomining threats.

"It's just starting to take off and go mainstream," he said. "Cryptomining can be very lucrative and is an attractive tool for malicious actors to make quick money regardless of how well the crypto market is doing."

Cryptomining activity has been observed just this month in connection with major attacks on Microsoft Exchange Servers. Chinese nation-state actors exploited four zero-day vulnerabilities to attack on-premises versions of Microsoft Exchange email servers. Tens of thousands of U.S. organizations have reportedly been impacted.

Threat detection vendor Red Canary reported exploitation activity that involved the installation of a cryptomining program called Dltminer.

"For the next few years at least, cryptomining is going to continue to grow rapidly," McBride said.