Check out all of our upcoming events

Blog

Get news about our products, which events we are attending plus industry insights and commentary

Detecting Cryptojacking in Carrier Scale Networks

Written by Steve Patton on Monday, 06 August 2018. Posted in Cyber

Cryptojacking is running unwanted applications on endpoints and infrastructure, specifically crypto currency mining software, and it’s hard to detect. The cypto miner is stealing processing capability; Impacts are higher electricity (power and cooling) consumption, slower performance of legitimate applications or services. And high CPU run rates generate more heat and reduce lifetime.

Cryptocurrencies are mined using complex mathematical calculations and require high processing power. An effective way to implement this is across a distributed network of nodes that perform individual calculations. One zero cost way to build such a network of nodes is to inject unauthorised mining software onto unprotected devices (phone, IOT device, laptop, tablet, anything with processing capability and an IP address), through an infected web url, email malware, deliberate insider installation or any hijacking technique. The node will then perform the calculations for free.

Infected nodes need to communicate data, such as results of hash functions to other nodes and results to a control server or wallet. The actual messages are usually very short, and can be disguised as regular network traffic making detection at the endpoint complex.

That means that the best way to detect cryptojacking is to monitor the network for suspicious activity, where a number of devices or nodes are likely to be exhibiting the same anomalous behaviour. Even though usually obfuscated, there can be patterns, such as packet size, port or period between communication sessions, or a pattern of uploading slightly more data than was downloaded.

Using Telesoft unsampled multi 100Gbps carrier scale flow monitoring, collection and analysis system (“TDAC”), the NetOps team within the NSP can discover anomalous traffic patterns which indicate cryptojacking activity. This allows corrective action to be taken to block unauthorised crypto traffic flowing through the network.

Take to Telesoft today about detecting cryptojacking and threat hunting in your network...This email address is being protected from spambots. You need JavaScript enabled to view it.

About the Author

Steve Patton

Steve Patton

Steve is an experienced technical B2B cyber security specialist and Director. Steve is a frequent speaker on topics including security breaches, big data analytics, audit and compliance, and IT forensics.

Information cookies

Cookies are short reports that are sent and stored on the hard drive of the user's computer through your browser when it connects to a web. Cookies can be used to collect and store user data while connected to provide you the requested services and sometimes tend not to keep. Cookies can be themselves or others.

There are several types of cookies:

  • Technical cookies that facilitate user navigation and use of the various options or services offered by the web as identify the session, allow access to certain areas, facilitate orders, purchases, filling out forms, registration, security, facilitating functionalities (videos, social networks, etc..).
  • Customization cookies that allow users to access services according to their preferences (language, browser, configuration, etc..).
  • Analytical cookies which allow anonymous analysis of the behavior of web users and allow to measure user activity and develop navigation profiles in order to improve the websites.

So when you access our website, in compliance with Article 22 of Law 34/2002 of the Information Society Services, in the analytical cookies treatment, we have requested your consent to their use. All of this is to improve our services. We use Google Analytics to collect anonymous statistical information such as the number of visitors to our site. Cookies added by Google Analytics are governed by the privacy policies of Google Analytics. If you want you can disable cookies from Google Analytics.

However, please note that you can enable or disable cookies by following the instructions of your browser.