Under multiple supervision, who is still "mining"?

introduction

Since 2021, when the supervision of virtual currency "mining" continues to increase, who is still mining?

The "mining" incident happened again

On April 6, according to a Weibo blogger, Zhang Mou, an employee of a new energy automobile company, used the company's server resources to dig virtual currency. This person originally served as the administrator of a cluster server and used his position to carry out "mining" behavior. During the investigation, Zhang confessed to his violations, which were suspected of violating the second paragraph of article 285 of the Criminal Law of the People's Republic of China, which had a negative impact on the security of enterprise computer systems and commercial information security.

Relevant policies, multi-pronged approach

Since 2021, the supervision of virtual currency "mining" has continued to increase:

As early as May 2021, the Financial Stability and Development Committee of the State Council (hereinafter referred to as the "Financial Commission") has set the tone to resolutely crack down on bitcoin mining and trading behavior, and prevent individual risks from being transmitted to the social field.

Since September 2021, the Ministry of Industry and Information Technology, the National Development and Reform Commission, the Ministry of Public Security, the People's Bank of China, the Banking and Insurance Regulatory Commission, the National Energy Administration, the Cyberspace Administration and other departments and other departments have successively introduced relevant measures to increase the verification and rectification of "mining".

Starting from the fourth quarter of 2021, domestic operators, educational institutions and other enterprises have continuously banned mining pool addresses at home and abroad in accordance with the requirements of the National Development and Reform Commission and the Cyberspace Administration of China, and known web pages and APPS cannot be accessed, and the major domestic mining groups are also a ghost crying wolf.

At the same time, it is also cracking down on individual "mining" behavior:

In the enterprise unit, if there is a phenomenon of individual "mining", it will be directly stopped and ordered to rectify.

In the home bandwidth, if you use the computer to mine at home, the operator will also detect that there is a mining behavior, and directly shut down the network bandwidth at home.

All walks of life, still exist

Active mining pools, all overseas

High yields have led to repeated prohibitions on malicious mining activities

In recent years, the price of virtual currency has soared, and this high yield has attracted various participants to join the mining industry, which is also the main reason for the prevalence of malicious mining activities.

Malicious mining programs usually accompanied by the prosperity of the cryptocurrency market and appear, cryptocurrency prices and malicious mining activities have a certain correlation, the higher the price, the more active malicious mining activities, and this year is the most crazy year of cryptocurrency development and appreciation over the years, and now countries are vigorously developing blockchain technology, the future for a long time, the cryptocurrency industry will not fade, and all kinds of malicious activities caused by cryptocurrencies will be more popular, the network security situation will be more complex and changeable.

The harm of malicious mining

Having the ability to hide itself doesn't mean it won't cause damage to your device. In fact, this theft of computing resources can significantly reduce the speed of operation, increase power consumption, and shorten the service life of equipment, thus affecting the normal operation of the business or production environment.

Infected devices typically have the following more noticeable negative effects:

The system is running slowly

Increase processor usage

The device is overheating

Increased power consumption

Malicious mining activities on a single device impact is relatively small, but if the network environment encounters a wide range of infection, the network will appear obvious caton, running too slow and other abnormal phenomena, resulting in performance degradation or even crash situation, if the infection is from the utilities, manufacturing, energy industry, financial industry entity organization, malicious mining may also affect the security of its important business and data, thereby causing a series of chain reactions, resulting in difficult to assess the operation, production losses.

According to the data research and analysis of Anheng Information Hunting Laboratory for multiple malicious mining groups and malicious mining Trojan families, it is found that the attackers are trying the following means to mine:

Use new techniques that hide CPU usage

The researchers found that the Golang worm mining Trojan disables the hardware prefetcher through a specific type of register (MSR) driver. A hardware prefetcher is a new technology in which the processor prefetches data based on the kernel's past access behavior, and the processor (CPU) stores instructions from main memory into the L2 cache by using a hardware prefetcher. However, on multi-core processors, using hardware prefetching can impair functionality and lead to an overall degradation in system performance. XMRig needs to rely on the processing power of the machine to mine Monero coins, and disabling MSR can effectively prevent the performance of the system from degrading, thereby improving mining efficiency.

Black-producing organizations compete for mining resources

In malicious mining activities, there may be a situation where two malicious mining families compete with each other for the resources of the victim computer, this contest is usually carried out in the Linux and cloud environments, and the mining Trojan will use a variety of methods to clean up or block and interfere with the mining behavior of other families on the victim host, and remove competitors from the system to enjoy the resources exclusively.

More well-known is the cloud resource scramble between Pacha and Rocke, both of which use very similar techniques, tactics, and methods, and compete with each other to help improve operator skills.

Industrial control system has become the target of new mining machines

With the passage of time, mining activities produce fewer and fewer virtual currencies, and the demand for computing power is increasing, and some attackers are no longer satisfied with choosing such as pCs or mobile devices as their mining tools, but instead set their sights on infrastructure with high performance and high processing power. There may also be outdated or unpatched software in the internal network of industrial control systems, as the deployment of new operating systems and updates can inadvertently disrupt critical legacy platforms, so the system may remain in older versions.

Factories are a tempting target for attackers engaged in malicious mining activities, and since many baseline operations do not use a lot of processing power, but consume a lot of power, this makes it relatively easy for mining malware to mask its CPU and power consumption, and even if the system is abnormal, it takes considerable time cost to troubleshoot cyber threats on the control system.

How to prevent malicious mining

For individuals

To prevent personal computers from being used by malicious mining, each of us should take security measures from the following aspects:

1. Raise personal safety awareness, download and install applications from normal application markets and channels, do not easily install third-party software from unknown sources, or click and visit some undesirable web pages with inducing nature at will.

2. Install antivirus software or security guard, and regularly carry out a total search.

3. Fix system vulnerabilities in time and update system versions, software versions and application versions.

For businesses

To prevent computing resources from being used by malicious mining, enterprises should take security precautions from the following four aspects:

1. Cloud intelligence: Use cloud intelligence capabilities, online expert service capabilities and offline security equipment to accurately locate and deal with local malicious mining threats;

2. Network traffic: Using traffic detection and big data analysis technology, multi-dimensional and in-depth analysis, identify the characteristics of malicious mining attacks in the network, and link security devices to achieve automatic disposal;

3. Border defense: Use border gateway products to achieve early warning and interception of malicious behaviors and malicious connections in the network, and realize the refined control of north-south data traffic;

4. Endpoint security: Use the terminal security protection platform to provide virus defense capabilities for the terminal, identify abnormal programs and abnormal connections in the terminal, isolate the terminal and kill mining viruses.

The solution is as follows: