Who is mining on your server?

Cybercriminals have realized that infecting servers is much more profitable than mining on home users’ computers.

According to observations from our experts, ransomware is on the decline, and a new menace has taken its place at the top of the threat charts: Malicious cryptocurrency mining is on the rise. The total number of users who encountered miners rose from 1,899,236 in 2016–2017 to 2,735,611 in 2017–2018. And with increasing frequency — and greater danger to victims — miners are switching to business targets.

Malicious cryptocurrency mining differs from legitimate mining only in that in the former, malefactors are using hardware that does not belong to them; they either infect computers or lure victims on mining websites. This trend started unremarkably — with attacks on home users. However, each victim brought in paltry bits of income, so threat actors began to look for new targets with more resources.

Infecting a server instead of a home computer potentially may result in many benefits for cybercriminals. Server hardware is far more productive; it can mine more cryptocurrency. Infection of the server is less obvious (especially if malefactors are not too greedy and do not try to occupy all available computing resources). Finally, Web servers can be used to host Web miners, malware that launches mining scripts in client’s browsers.

Does that sound familiar? Malicious miners are following the same career path as ransomware did. First, home users; second, businesses. The next logical step is targeted attacks intended to implant miners in corporate infrastructures. Our experts are sure that such attacks will be registered in the wild soon.

So they are mining. So what?

Some businesses consider malicious mining a minor threat. It does not affect critical information and sometimes does not even affect business processes. That is mainly because cybercriminals carefully analyze the workload of infected servers and take only part of the resources, to evade notice.

However, businesses should be concerned that outsiders are making money from their resources — transforming their electric power into cryptocurrency. That use accelerates wear on equipment, and it will lead to premature server failure. As well, having a cryptominer on your server means that cybercriminals have breached your defenses and are in your infrastructure. Maybe they are not interested in your secrets today, but that doesn’t mean they’ll never think to turn a profit from stealing your data.

What to do

To start with, follow our usual advice: Treat e-mail attachments, or messages from people you don’t know, with caution; keep software updated; use antimalware solutions; and so on. After all, cryptominers are malware, and they spread the way malware does, using attachments and vulnerabilities.

As far as miner-specific advice, monitor your server load. If the daily load changes suddenly, that may be a symptom of a malicious miner. Carrying out regular security audits of your corporate network may also be helpful. And you should not forget about less-obvious targets, such as queue-management systems, POS terminals, and vending machines. Infected, an army of those devices can bring much profit to criminals.

For a reliable security solution that can protect your workstations and servers at the same time, we recommend Kaspersky Endpoint Security for Business. It can detect malware, block malicious websites, automatically detect vulnerabilities, and download and install patches. It can provide security for Web gateways, e-mail servers, collaboration platforms, and much more. To try it, click on the banner below.