A powerful hardware-based threat detection technology is being integrated into a Microsoft enterprise security product to help protect businesses from cryptojacking malware.
The move, which integrates Intel Threat Detection Technology with Microsoft Defender for Endpoint, was announced Monday in a blog written by Karthik Selvaraj, principal research manager for Microsoft 365’s Defender Research Team.
“Microsoft’s approach is a good move,” observed Dirk Schrader, global vice president for New Net Technologies, a Naples, Fla.-based provider of IT security and compliance software.
He explained that since cryptominers are using a small fraction of the power of many devices, they’re often ignored by security teams.
“Cryptojacking, despite its rise, is still seen as a mere nuisance by many organizations, something which isn’t really followed through by security teams as they have lots of other stuff to keep up with and systems are running 24/7, anyway,” he told bluehillco.
Oftentimes, there’s no follow through by security teams because cryptomining can be difficult to detect in the enterprise.
“Slow or sluggish machines are the norm in many enterprises due to bloated software and also due to the many threat detection and automated upgrades that are performed on them,” explained Purandar Das, CEO and cofounder of Sotero, a data protection company in Burlington, Mass.
“Also there are no outward signs — other than network communication — apparent to the end user,” he told bluehillco.
The problem with failing to foil cryptominers is that the cryptocurrency mined at these organizations is then used to fund other nefarious activities by criminal gangs or state-sponsored actors, Schrader maintained.
Executing security tasks in a hardware module, as Microsoft and Intel are doing, has significant performance advantages, Das noted.
“The process of identification based on resource utilization and even resource monitoring is much faster than with software based approaches,” he said.
“Equally importantly,” he continued, “it eliminates the need for deploying software that can be buggy and potentially come with vulnerabilities.”
What’s more, Intel TDT gives system defenders insight into what’s happening at the CPU layer, added Erich Kron, security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Fla.
“This will make it more difficult for cryptojackers to hide their activities, versus attempting to gather this information via software solutions,” he told bluehillco.
“In this case,” he continued, “TDC is looking for abnormal behavior that may otherwise be disguised as normal activity by the malware.”
Catching Coin Miners at the CPU
Intel TDT applies machine learning to low-level hardware telemetry sourced directly from the CPU performance monitoring unit (PMU) to detect the malware code execution “fingerprint” at runtime with minimal overhead, wrote Selvaraj.
TDT leverages a rich set of performance profiling events available in Intel SoCs (system-on-a-chip) to monitor and detect malware at its final execution point (the CPU), he continued.
This happens irrespective of obfuscation techniques, including when malware hides within virtualized guests and without needing intrusive techniques like code injection or performing complex hypervisor introspection, he added.
Additional performance gains can be achieved by offloading some machine learning to Intel’s integrated graphics processing unit (GPU).
Selvaraj explained that the TDT technology is based on telemetry signals coming directly from the PMU, the unit that records low-level information about performance and microarchitectural execution characteristics of instructions processed by the CPU.
Coin miners make heavy use of repeated mathematical operations and this activity is recorded by the PMU, which triggers a signal when a certain usage threshold is reached.
The signal is processed by a layer of machine learning which can recognize the footprint generated by the specific activity of coin mining. Since the signal comes exclusively from the utilization of the CPU, caused by execution characteristics of malware, it is unaffected by common antimalware evasion techniques such as binary obfuscation or memory-only payloads.
“Intel’s TDT allows the use of machine learning to generically block cryptojacking attacks based on repeated mathematical operations performed by cryptominers,” explained Rohit Dhamankar, vice president for threat intelligence products at Alert Logic, an application and infrastructure security company in Houston.
“This approach does not rely on individual signatures which allow cryptojacking malware to evade traditional antivirus or endpoint detection and response software,” he told bluehillco.
Agentless Malware Detection
Selvaraj added that the TDT integrated solution can also expose coin miners hiding out in unprotected virtual machines or other containers.
“Microsoft Defender for Endpoint can stop the virtual machine itself or report virtual machine abuse, thus preventing the spread of an attack as well as saving resources,” he wrote.
“This is one step towards agentless malware detection, where the ‘protector’ can protect the asset from the ‘attacker’ without having to be in the same OS,” he added.
Any improvements in tossing coin miners off enterprise systems will be welcomed by security teams, since cryptojacking can be so hard to detect.
“Cryptojacking is particularly stealthy by design,” observed Josh Smith, a security analyst with Nuspire Networks, a managed security services provider in Walled Lake, Mich.
“Coin miners try not to make any noise like a ransomware attack, as it would be counter intuitive and would cut into generated income,” he told bluehillco.
“Cryptojacking can be malware based, where the code that performs the mining is directly installed on the victim machine — usually delivered via phishing emails — or code installed on websites. When a user interacts with the website, a script runs performing the mining,” he explained.
Skillful coin miners can be very difficult to detect, added Kron.
“They may lay dormant or throttle back activity during times that users are utilizing the devices, then ramp up during times, such as after hours, when users are not likely to notice the performance issues, or the increased noise caused by fans trying desperately to cool the overworked systems,” he said.
“While cryptojacking software can cause system lockups or reboots when being pushed hard, many organizations do not look at these events as indicators of compromise, nor do they monitor the CPU usage of workstations within the organization, making it easier for the malware to hide its activities,” he noted.
He added that as cryptocurrency values continue to rise, cryptojacking becomes more attractive to the cybercriminals, leading to more attacks.
However, he continued, the bigger issue with cryptojacking is that the malware is often not alone on the devices.
“It can be a part of a larger infection that may include banking trojans, password stealers and even ransomware,” he said. “If the attackers can get cryptojacking malware on the systems, they can get other malware there as well.”