Cybersecurity researchers have detailed two novel strategies that can be utilized to disrupt cryptocurrency mining botnets.
The strategies make the most of the design of varied frequent mining topologies with a view to shut down the mining course of, Akamai mentioned in a brand new report printed as we speak.
“We developed two methods by leveraging the mining topologies and pool insurance policies that allow us to scale back a cryptominer botnet’s effectiveness to the purpose of utterly shutting it down, which forces the attacker to make radical adjustments to their infrastructure and even abandon the whole marketing campaign,” safety researcher Maor Dahan mentioned.
The methods, the net infrastructure firm mentioned, hinge on exploiting the Stratum mining protocol such that it causes an attacker’s mining proxy or pockets to be banned, successfully disrupting the operation.
The primary of the 2 approaches, dubbed unhealthy shares, entails banning the mining proxy from the community, which, in flip, leads to the shutdown of the whole operation and causes the sufferer’s CPU utilization to plummet from 100% to 0%.
Whereas a mining proxy acts as an middleman and shields an attacker’s mining pool and, by extension, their pockets addresses, it additionally turns into a single level of failure by interfering with its common operate.
“The thought is easy: By connecting to a malicious proxy as a miner, we are able to submit invalid mining job outcomes — unhealthy shares — that may bypass the proxy validation and shall be submitted to the pool,” Dahan defined. “Consecutive unhealthy shares will finally get the proxy banned, successfully halting mining operations for the whole cryptomining botnet.”
This, in flip, entails utilizing an in-house developed instrument known as XMRogue to impersonate a miner, hook up with a mining proxy, submit consecutive unhealthy shares, and in the end ban the mining proxy from the pool.
The second methodology devised by Akamai exploits situations the place a sufferer miner is related on to a public pool sans a proxy, leveraging the truth that the pool can ban a pockets’s handle for one hour if it has greater than 1,000 staff.
In different phrases, initiating greater than 1,000 login requests utilizing the attacker’s pockets concurrently will pressure the pool to ban the attacker’s pockets. Nevertheless, it is price noting this is not a everlasting resolution because the account can stage a restoration as quickly because the a number of login connections are stopped.
Akamai famous that whereas the aforementioned strategies have been used to focus on Monero cryptocurrency miners, they are often prolonged to different cryptocurrencies as nicely.
“The methods offered above present how defenders can successfully shut down malicious cryptominer campaigns with out disrupting the reputable pool operation by benefiting from pool insurance policies,” Dahan mentioned.
“A reputable miner will be capable to shortly recuperate from such a assault, as they’ll simply modify their IP or pockets domestically. This process could be rather more tough for a malicious cryptominer as it could require modifying the whole botnet. For much less refined miners, nevertheless, this protection might utterly disable the botnet.”
