By Jeff Nathan
When it comes to enterprise security, insider threats—whether malicious or inadvertent—must be top of mind. Most envision intentional insider threats as disgruntled employees stealing data to sell for profit or corporate espionage. But there is a new, resource- and dollar-stealing risk on the block that companies should be on the lookout for: shadow mining.
Shadow mining involves privileged insiders, such as IT or operational security staff, subtly manipulating an organization’s IT infrastructure (without the organization’s IT department’s knowledge or consent) for the sole purpose of mining cryptocurrencies. While cryptocurrency mining has made headlines, shadow mining is different because it’s a covert operation by those entrusted to operate and defend a company’s infrastructure. It’s brought to light a whole new class of insider threats.
How much could this ultimately cost an organization? That’s a tough and tailored question to answer. But, for context, in 2014, a researcher was discovered to have misused upwards of $150,000 in NSF-supported computer usage to mine cryptocurrencies over two years, across two campuses. The costs could be much higher if undertaken by IT or operational security staff.
Understanding why a privileged employee may deploy shadow mining efforts, what the business and security risks associated with these attacks are, and how attacks may be deployed can all help combat this emerging risk.
Cryptocurrencies, Crypto Mining and Shadow Mining
Cryptocurrencies have become a potentially high-yield money-making opportunity for those willing to experience their wild market value fluctuations.
Only basic system administration skills and access are required to mine cryptocurrencies, and there are thousands of instructional videos online. But those deploying miners face a major hurdle to turning a profit: the steep cost of the required computing power, including electricity. Unscrupulous insiders have devised schemes to hijack IT resources from their organizations (and individual users’ machines) and use them for illicit cryptocurrency mining. After all, it’s an easy profit if you have no overhead. But this ‘easy profit’ comes at a high cost to the enterprises that are exposed.
To offer another example, in 2018, the Florida Department of Citrus noticed their energy bill skyrocketed nearly 40% over three months. They discovered that an employee had been mining cryptocurrency on the network. He also used $22,000 in departmental funds to purchase 24 graphic processing units in order to increase the efficiency of his three-month operation. Imagine the costs if they were scaled over time and across larger networks.
Understanding and Detecting Shadow Mining
Successful shadow mining, which requires a low and slow distributed approach, depends on deliberately configuring security systems to function incorrectly and introducing unknown Internet-connected software to the network. From a network perspective, an admin would simply have to deploy and execute mining applications and their configuration files to user systems.
The code and related underpinnings to mine cryptocurrencies are relatively easy to distribute. The applications can be manipulated to appear as standalone programs that don’t require installation on a target system. Once in place, each is quickly tuned to have a relatively low impact on the system performance.
When logged in as an unprivileged user, the crypto mining applications then become indistinguishable from legitimate processes with the same name, provided the user didn’t view their file locations. (Most users never look at process details, let alone view the file location for a running process.) And when tuned to consume very little processing power (to create as little system impact as possible), the systems appear completely normal to users.
Security Risks and the Impact of Shadow Mining
Shadow mining depends on security systems being deliberately misconfigured to allow for the installation of unauthorized applications — truly an insider threat. But the threat net should be cast wider than one might initially suspect.
For a shadow mining operator to be successful, they must deploy mining applications across many systems, and the miner apps must remain stealthy. All software contains weak points and consumes resources. Installing additional, unauthorized Internet-connected applications increases any computer’s attack surface, making the enterprise less secure by multiplying attack surfaces.
For instance, when software accepts data as input, it must take care to use that data safely. Many times, software isn’t careful enough and is vulnerable. Thus, a miner might make a mistake in how it parses incoming data and be vulnerable to exploitation. Miners read data from the command line (when they’re started) over a network, and some of them read files off a disk. All these inputs are potential vulnerabilities.
These vulnerabilities render affected computers less reliable, jeopardizing not only your security but also your business objectives.
Business Risks and the Impact of Shadow Mining
Corporate shadow miners have access to an enormous aggregate amount of computing power and electricity. Akin to skimming, they take just a little from every access point so that they have enough to mine for cryptocurrencies but not enough to be easily noticed.
If you factor in all the various incremental impacts of shadow miners on a corporate network, a company’s bottom line can be severely impacted over time, including ‘on-the-clock’ time spent in pursuit of shadow mining instead of professional productivity, incremental loss in customer service due to lower computing power, and the increased energy bills over time.
Combatting Shadow Mining
While shadow mining is a true insider threat, there are ways to combat it.
Deploying shadow mining tools leaves telltale artifacts of the activity. A seasoned professional armed with the appropriate skills, data and resources can detect these artifacts and launch an investigation.
We know mining requires a substantial amount of energy, distributed across the entire network. One of the simplest ways to combat mining is to routinely scrutinize your electricity bill: look for anomalies in your bill and, if seen, start looking for suspicious activity.
But this does not all have to be done manually. With AI and machine learning, cybersecurity tools can learn which behaviors are anomalous and which are within your daily operations. For example, there are security management platforms on the market that utilize advanced behavioral analytics to study user and device behavior, establish a baseline and immediately alert security analysts to actions straying from the norm. The tools provide sequential timelines that offer an overview of the actions, leading to quick identification of the problem and remediation.
The simple truth is that there’s a possibility that your enterprise admins or operational security staff are conducting illegal shadow mining activity via your infrastructure and profiting from their efforts, while decreasing your bottom line and putting your company — and customers — at risk. But understanding shadow mining activity, and ways to detect it, can help secure both your business and your stakeholders.
About Jeff Nathan
For more than 20 years, Jeff Nathan has worked primarily on solving security problems as a researcher, software developer, analyst, author and security evangelist. He has worked independently and within teams to research and develop new technologies, commercial and open source software.