Microsoft, Intel Team Up To Clamp Down On Cryptominers
Microsoft, Intel Team Up To Clamp Down on Cryptominers
Microsoft is integrating a powerful hardware-based threat detection technology into an enterprise security product to help protect businesses from cryptojacking malware.
The integration of Intel Threat Detection Technology with Microsoft Defender for Endpoint was announced Monday in a blog post by Karthik Selvaraj, principal research manager for the Microsoft 365 Defender Research Team.
"Microsoft's approach is sound," observed Dirk Schrader, global vice president of New Net Technologies, a Naples, Fla.-based provider of information technology security and compliance software.
He explained that because cryptominers consume a negligible amount of power, they are frequently overlooked by security teams.
"Despite its rise, cryptojacking is still viewed as a minor annoyance by many organizations, something that security teams tend to overlook given their other responsibilities and the fact that systems are running 24/7 anyway," he explained.
Oftentimes, security teams fail to follow through because cryptomining is difficult to detect in the enterprise.
"Slow or sluggish machines have become the norm in many enterprises as a result of bloated software and the numerous threat detection and automated upgrades performed on them," explained Purandar Das, CEO and cofounder of Sotero, a data protection company based in Burlington, Massachusetts.
"Also, there are no visible signs to the end user — other than network communication," according to him.
The issue with failing to foil cryptominers is that the cryptocurrency mined at these organizations is then used to fund other nefarious activities carried out by criminal gangs or state-sponsored actors, Schrader asserted.
Performance Advantages
According to Das, executing security tasks in a hardware module, as Microsoft and Intel do, provides significant performance benefits.
"The process of resource utilization-based identification and even resource monitoring is significantly faster than software-based approaches," he explained.
"Equally important," he continued, "it eliminates the need for buggy and potentially vulnerable software to be deployed."
Additionally, Intel TDT provides system defenders with visibility into what is happening at the CPU layer, according to Erich Kron, security awareness advocate at KnowBe4, a Clearwater, Fla.-based provider of security awareness training.
"This makes it more difficult for cryptojackers to conceal their activities, as opposed to gathering this information through software solutions," he explained.
"In this case," he continued, "TDC is looking for abnormal behavior that the malware could otherwise mask as normal activity."
Catching Coin Miners at the CPU
Intel TDT uses machine learning to analyze low-level hardware telemetry directly from the CPU performance monitoring unit (PMU) in order to detect the malware code execution "fingerprint" at runtime with a minimum of overhead, Selvaraj wrote.
TDT makes use of a comprehensive set of performance profiling events available in Intel SoCs (systems on a chip) to monitor and detect malware at its final execution point (the CPU), he continued.
This occurs regardless of the obfuscation technique used, including when malware is hidden within virtualized guests, and without the use of intrusive techniques such as code injection or complex hypervisor introspection, he added.
Additional performance gains are possible by offloading some machine learning operations to Intel's integrated graphics processing unit (GPU).
Selvaraj explained that the TDT technology is based on telemetry signals from the PMU, the unit that records low-level information about the performance and microarchitecture of instructions processed by the CPU.
Coin miners make extensive use of repeated mathematical operations, which are recorded by the PMU, which generates a signal when a predefined level of usage is reached.
The signal is processed by a layer of machine learning that is capable of recognizing the footprint left by the coin mining activity. Due to the fact that the signal originates solely from CPU utilization caused by malware execution characteristics, it is unaffected by common antimalware evasion techniques such as binary obfuscation or memory-only payloads.
"With Intel's TDT, we can use machine learning to block cryptojacking attacks that are based on repeated mathematical operations performed by cryptominers," explained Rohit Dhamankar, vice president for threat intelligence products at Alert Logic, a Houston-based application and infrastructure security company.
"This approach does not rely on individual signatures, which enables cryptojacking malware to evade detection by traditional antivirus or endpoint detection and response software," he explained.
Agentless Malware Detection
Selvaraj continued, "The TDT integrated solution can also reveal coin miners hiding in unprotected virtual machines or other containers."
"Microsoft Defender for Endpoint can terminate the virtual machine or report abuse of virtual machines, thereby preventing the spread of an attack and conserving resources," he wrote.
"This is a first step toward agentless malware detection, in which the 'protector' can protect the asset from the 'attacker' without requiring the 'protector' to run on the same operating system," he added.
Any advancements in the removal of coin miners from enterprise systems will be welcomed by security teams, as cryptojacking is notoriously difficult to detect.
"By design, cryptojacking is extremely stealthy," observed Josh Smith, a security analyst with Nuspire Networks, a managed security services provider based in Walled Lake, Michigan.
"Coin miners attempt to avoid making noise similar to a ransomware attack, as this would be counterintuitive and reduce generated revenue," he explained.
"Cryptojacking can be carried out through malware, in which the mining code is directly installed on the victim machine – typically via phishing emails – or through code installed on websites. When a user interacts with a website, a script is invoked to carry out the mining "he clarified.
The Bigger Problem
Skilled coin miners can be exceedingly difficult to detect, Kron added.
"They may go dormant or throttle back activity during times when users are actively using the devices, and then ramp up activity during times such as after hours, when users are unlikely to notice the performance issues or increased noise caused by overworked systems," he explained.
"While cryptojacking software can cause system lockups or reboots when pushed hard, many organizations do not view these events as indicators of compromise and do not monitor the CPU usage of workstations within the organization, which makes it easier for the malware to conceal its activities," he noted.
He added that as cryptocurrency values continue to rise, cybercriminals will become more interested in cryptojacking, resulting in an increase in attacks.
However, he continued, the more serious problem with cryptojacking is that the malware is frequently not operating in isolation on the devices.
"It could be a component of a larger infection that includes banking trojans, password stealers, and possibly ransomware," he explained. "If attackers can infect systems with cryptojacking malware, they can also infect them with other malware."
IT Courses and Certification
Cryptocurrency Course and Certificate
Cryptography Course and Certificate
Information Security and Cyber Law Course and Certificate
Bitcoin Course and Certificate
Blockchain Technology Course and Certificate
Ethereum Course and Certificate
Microsoft Office Course and Certificate
Microsoft Project Course and Certificate
