Detecting Cryptojacking with Progress Flowmon

In the ever-evolving landscape of cybersecurity threats, cryptojacking has emerged as a stealthy and financially motivated attack method. In attacks of this type, cybercriminals hijack servers (or endpoint devices) to use the computing resources to “mine” cryptocurrencies. They get a financial benefit from this activity when they sell the newly minted currencies.  

When this happens, computers get drained of resources needed to serve your business, plus you are spending more for the hijacked power, cooling and computing resources.  

What are some immediate actions to detect this invasive and disruptive activity? Progress Flowmon can help your IT team to better detect and stop cryptojacking infections on your network. Read on to learn how Flowmon helps facilitate this by detecting activities from even the most sophisticated cryptojacking malware. 

What Is Cryptojacking? 

Cryptojacking is a type of cyberattack where attackers exploit system vulnerabilities to mine cryptocurrency without the target organization’s knowledge. Not only does cryptojacking use the resources of the compromised systems, it indicates broader security issues that other attack types, such as ransomware, could exploit.  

In an example scenario, attackers might leverage a Denial of Service (DoS) attack, such as a synchronize (SYN) flood, to create a diversion. This tactic floods target servers with excessive requests, creating noise and distraction, making it harder for traditional monitoring tools to detect the more dangerous exploits happening simultaneously. 

Anatomy of a Cryptojacking Attack 

As outlined in the video below, a typical cryptojacking attack follows several stages. Let’s break it down: 

• DoS smokescreen - The attacker launches a low-volume DoS attack, such as a SYN Flood. This creates noise and distraction on the network that masks the true intention of the attackers: compromising a vulnerable server in your demilitarized zone (DMZ). 

• Exploiting a vulnerability - Using a common attack vector, such as a dictionary attack on Remote Desktop Protocol (RDP), the cybercriminal exploits an unpatched vulnerability to gain full access to a targeted server. 

• Deploy the cryptojacking payload - With access secured, the attacker deploys malicious code, silently turning the server into a cryptocurrency mining node.  

The Limitations of Basic Monitoring Tools 

Monitoring tools for IT infrastructure are essential for achieving optimal performance and availability. However, they may not detect the subtle signs of cryptojacking. Due to the added noise from a DoS attack, the average CPU utilization metric recorded by basic monitoring tools may not immediately trigger any alarms. And the CPU spikes from cryptojacking malware often go undetected even when the DoS ends. 

Detecting Cryptojacking with Flowmon 

Flowmon Anomaly Detection System (ADS) offers a robust solution for improved detection and analysis of cryptojacking activities. Here’s how Flowmon helps: 

• Network Telemetry Data Analysis - Flowmon uses network telemetry data, including IP Flow Information Export (IPFIX) data, enhancing it with threat feeds and attack signatures. This data collection forms the basis for detailed analysis. 

• Advanced Detection Algorithms - Flowmon employs sophisticated algorithms to process collected data, yielding high-level insights and actionable information. This includes references to common vulnerabilities and exposures (CVEs) and MITRE ATT&CK framework details necessary for forensic investigation. 

• Detecting Unusual Activity - Unlike general IT infrastructure monitoring tools, Flowmon ADS helps detect key security events. For instance, while a CPU utilization dashboard might show a spike in server load due to cryptocurrency mining, this could be easily missed or misinterpreted in a standard monitoring setup. Flowmon, however, can effectively highlight such anomalies. 

• Event Summary and Detailed Analysis - Within Flowmon’s Anomaly Detection System (Flowmon ADS), users can view an event summary that provides a clearer picture of the activities under the guise of a DoS attack. This includes the detection of dictionary attack events and the actual mining activity. 

• Direct Integration and Incident Visualization - The integration of Flowmon with other monitoring tools, like Progress WhatsUp Gold, allows for a more simplified transition from general IT monitoring to focused security analysis. Users can view multiple events as a single incident, understanding how a DoS attack masks other exploits. 

• Forensic Details and Remediation Steps - Flowmon provides detailed insights into the nature of an attack, such as the specific exploitation of RDP vulnerabilities (e.g., BlueKeep). This information is crucial for planning remediation steps, such as patching and updating systems to help close security gaps. 

• Understanding the Broader Impact - The analysis capabilities of Flowmon can help you understand the broader implications of cryptojacking, like increased system load, cooling requirements, power usage and higher costs for cloud systems. It also underscores the risk of lateral movement within the network by the attacker. 

These items are explored in the following video presentation. 

Video Overview: Detect Cryptocurrency Mining with Flowmon NDR 

The information outlined in this article is based on and supports the overview and case study presented by Benjamin Hodge, Solution Architect, Progress, in a brief video presentation.  

In the video, Benjamin outlines how Flowmon NDR can detect cryptojacking, even when they are hidden by other attack vectors, such as DoS traffic. You can view the video on the  Flowmon YouTube Channel. 

Final Thoughts 

Cryptojacking is a serious threat to network security. It often goes unnoticed as it is disguised by other attack methods. However, Flowmon ADS can help detect, analyze and provide actionable insights into these types of advanced cyberattacks. Flowmon can help your organization improve its infrastructure security to mitigate the financial and operational impacts of cryptojacking. As a result, your IT team can work with a more secure and robust infrastructure. 

Visit the Flowmon platform page and the Flowmon ADS page for more information.

 Contact us to talk with an expert on how Flowmon can help defend your networks against cryptojacking and other threats.  

Try Flowmon free trial and discover how it can deliver actionable network insights for your organization quickly.