Crypto Mining Rampant in Higher Education

Figures from an analysis of 4.5 million monitored devices across 246 companies show that for every 10,000 devices and workloads, 165 contain active threats. The majority are given a low (113) or medium (18) threat priority; but 34 are ranked high or critical, requiring immediate attention.

Deeper analysis of these figures in Vectra’s 2018 Attacker Behavior Industry Report (PDF) shows the different stages of the attackers’ kill chain found within different vertical industry sectors. Overall, 37% of detections denote C&C activity, 31% denote reconnaissance activity, 24% denote lateral movement, and 6% actual exfiltration attempts. The reducing numbers seem to indicate analysts’ success at mitigating the detections as they progress. The remaining 3% of detections indicate botnet activity.

Applied to the different vertical industries, the analysis shows the fewest threat detections are found in the technology sector (a total of 62 per 10,000 devices) the healthcare sector, (87 per 10,000), and in government (139 per 10,000). Standing out, however, is higher education — with 542 detections per 10,000 devices. Most of these, 395, are considered low priority threats, and are related to crypto mining. 

“The number of low alerts in higher education is over three-times the normal rate, which is indicative of attacker behaviors that are opportunistic,” explains the report. “Inversely, the technology industry has a low volume of devices prioritized as high or critical, which indicates cyberattackers do not often progress deep into the attack lifecycle.” 

Other sectors that stop attacks in their early stages include government and healthcare — indicating the presence of stronger policies, mature response capabilities and better control of the attack surface; possibly because of greater regulation and oversight in these sectors. The very high number of low priority threats in higher education is largely down to a spike in crypto mining.

Higher education is unlike any other industry sector. Its users are not employees and are traditionally averse to outside control — they will not automatically accept the security controls that can be applied to direct employees, and security teams can rarely impose them. At the same time, the student environment is an attractive target, especially for crypto mining.

“Higher education has a large number of students who are not protected by universities with open networks,” explains Vectra. These same students also engage in their own crypto mining because they get free electricity, which is the highest direct cost of crypto mining (crypto mining uses computer resources to convert electricity into money). Geographically, most of this mining activity is done in Asia (76%), with 20% in North America, and just 4% in Europe. Sixty percent of all crypto mining detections uncovered by Vectra occurred in higher education.

The breakdown between mining by malware and mining by choice is not clear. It’s a mixture of both, Chris Morales, Vectra’s head of security analytics told SecurityWeek. “It’s more likely college students crypto mining from their dorm rooms with a dose of outside actors,” he added. “For example, some students could be watching pirated movies from an untrusted website that is crypto mining throughout the entire watching session. It would go unnoticed. This movie watching example really happens and was described to me by a security director at a large university as a problem they have to handle.

“Students are more likely to perform crypto mining personally as they don’t pay for power, the primary cost of crypto mining,” continued Morales. “Universities also have high bandwidth capacity networks with a large volume of easy targets, especially as students are more likely to use untrusted sites (like illegal movies, music, and software) hosting crypto mining malware.”

Higher education can only respond to students they discover engaged in crypto mining with a notice the activity is occurring. They can provide assistance in cleaning machines or in the case of the student being responsible, they can issue a cease and desist. Corporate enterprises can enforce strict security controls to prevent such behaviors; but universities do not have the same luxury with students. “They can at best,” explains Morales, “advise students on how to protect themselves and the university by installing operating system patches and creating awareness of phishing emails, suspicious websites and web ads.”

Vectra’s Cognito platform — the source for the analysis — uses continuous AI-enhanced anomaly detection to uncover threat behavior from network logs. It applies a scoring system to flagged behavior to reduce the high number of detected events to a low number of actual threats. For example, in this study (and on average), 26,432 events were flagged in every 10,000 devices. These were distilled down through 1,403 detections to 818 devices (per 10,000) with detections.

San Jose, Calif-based Vectra Networks raised $36 million in a Series D funding in February 2018, bring the total raised to $123 million. The funds are earmarked for further development of the Cognito ‘attack in progress’ threat hunting platform, and to fund a new research-and-development (R&D) center in Dublin, Ireland. 

Related: Don’t be a Crypto-Mining Bot: Where to Look for Mining Malware and How to Respond 

Related: Crypto-Mining Botnet Ensnares 500,000 Windows Machines