Cryptojacking: How to Undermine the Miners

By Alex Willis, VP Global Technical Solutions, BlackBerry

How secure is your network against cryptojacking? You might want to double-check, because there’s a chance it could be producing lots of money—just not for your organisation.

A recent article from TechCrunch cites research that shows a troublesome spike in a malware which leverages exploits stolen from the National Security Agency (NSA) to compromise corporate networks. Dubbed Beapy, this malware allows bad actors to conscript infected computers for cryptocurrency “mining.” This process is known as cryptojacking.

According to the researchers, there have been over 12,000 unique Beapy infections across more than 700 organisations since March alone. The cryptominers usually target enterprises due to their large host of computers, which – when infected – can produce large amounts of cryptocurrency in a fairly short period of time.

Beapy is typically propagated by means of specially-crafted malicious emails. The malware creates a persistent backdoor on the infected computer, and is designed to spread laterally through an enterprise’s network, utilising the same NSA exploits that facilitated WannaCry’s mayhem back in 2017.

But there’s another, more simplistic way that Beapy is worming its way into enterprise networks: via passwords. Utilising Mimikatz, an open source tool that can expose user login credentials, Beapy can sniff passwords entered on an infected computer to further gain a foothold in an enterprise’s network. This highlights a worrisome concern for enterprises: a single infected device on an enterprise network is all an attacker needs to launch a major cryptojacking operation.

Beapy is the latest in an increasing number of cryptojacking malware variants targeting enterprises around the world. – and there’s no signs the trend is waning. This sort of file-based cryptojacking is quicker, more efficient and more lucrative than exploiting website vulnerabilities. With more than one million computers vulnerable to attacks, enterprises need to be placing secure, authenticated protection of their systems at the top of their priority list.

Single sign-on

With World Password Day shining a light on best practices for password authentication this week, it’s the perfect time for enterprises to take stock and protect their networks. Using the same password for multiple cloud or on-premise systems is dangerous because if one is compromised, a malicious actor has the login credentials for a host of other systems too.

Organisations need to work with security providers that can remove this burden by offering single sign-on (SSO) to cloud services so that users don’t have to complete multiple logins or remember numerous passwords. This in turn significantly reduces the likelihood that password sniffing malware can compromise credentials.

With resilient SSO services in place, enterprises can harness a singular identity to authenticate on business systems – locally or remotely – with the authentication event occurring securely behind the network firewall. This means users don’t have to synchronise their credentials outside of the network, they can simply access systems and services from any device of their choosing.

This ability significantly boosts employee productivity by allowing them to use personal devices in the workplace (BYOD) and at home to access systems they need to be more productive while reducing risks to overall security.

A single authentication service also makes it easier to lock out a user who no longer should have access to sensitive systems—in fact, they can be automatically removed from the UEM server and be instantly denied the capability to login. Overall, a more secure environment is created when a company’s network credentials are managed by one network security team.

Two-factor authentication

Because of malware like Beapy, we’ve also seen how insecure SMS or email-based two-factor authentication (2FA) can be. This is the technique most cloud systems currently employ as a second failsafe, but it’s an innately hackable setup. Organisations need to ensure they have simple, high-security user authentication that safeguards all critical systems, and that they’re using a certificate-based direct push so that the data is encrypted while in transit to phones.

Companies need to ensure they work with the right provider so they can initiate remediation, remotely locking or wiping a device, or alert security if a prompt is not received or is declined. As passwords become more and more vulnerable with the expanding number of endpoints, secure two-factor authentication is vital for enterprises looking to protect their network from advancing cyberthreats.

It’s also essential to support unmanaged devices as well as devices managed by third-parties, meaning it can easily map onto almost any device users of your network may choose to use while on the go. Once employees register one or more mobile devices, they can securely access critical systems simply by entering their usual password and clicking ‘OK’ on a registered mobile device. This one-click experience eliminates the frustration that comes with other cumbersome authentication processes and the need for users to remember PINs, carry additional devices, or manually transcribe passwords or authentication codes.

While cryptojacking is one of the more victimless cybercrimes, it can still take a number on your network, slowing down computers and creating device degradation. To combat the rise of cryptojacking malware like Beapy, enterprises need to act fast to secure their endpoint to protect critical networks. There’s no need to reinvent the wheel, though—sometimes it boils down to something as simple as bolstering your password protection.