Post Secondary Institutions a Target for Cryptojacks

There is a new term in the cyber world that post-secondary institutions – and everyone else – should be aware of: cryptojacking.

Cryptojacking is when hackers tap into a private computer, business or institution to steal energy and computer processing power so they can mine bitcoin or other cryptocurrencies without draining their own resources. But cryptojacking represents more than a drain of CPU and resources; it can lead to a potential security threat to all business and organizations holding highly sensitive personal and financial data, such as hospitals and municipalities.

For one Canadian college, a cryptojacking incident translated into 100 percent of their CPU capacity being drained over the 2017 Christmas holidays. The dramatic slow-down of the system is what raised red flags to system administrators, who might not have become aware of a cyber breach until well after the holiday break.

Post secondary institutions across Canada were alerted of the attacks via the academic grape vine. This resulted in at least three other colleges discovering they also had been compromised (a full number isn't available as organizations and companies are not obligated to report a cyber incident if personal data isn't breached).

Unmasking the Scheme

As risk management advisors to several post secondary institutions, MNP's Clifford Trollope and Eugene Ng were called in to investigate what happened and see if any other assets were tampered with or if data was stolen. The breaches were seen as low level because only power and CPU capacity were tapped into for bitcoin mining – but it could have been far worse.

Universities and colleges are fountains of opportunity for criminals, as their systems include personal and payroll information, as well as financial transactions and competitive research data. Post secondary institutions also tend to have many servers connected to the internet with less than stringent monitoring and patching protocols and are notorious for having highly siloed groups between the different faculties. Faculties often have different IT systems for research, students and staff, making it difficult to operate an overarching and comprehensive security program.

In the December 2017 cryptojacking incidents, cyber criminals hacked into the systems by exploiting vulnerabilities on web servers and the software they use. Several of the colleges were running a dated human resource (HR) management system, which had alerted users of a critical vulnerability earlier that year.

Exposing Vulnerabilities

Without a risk-based cyber security and resiliency plan in place, the post secondary institutions failed to follow through on the critical announcement by the vendor and hadn't yet updated their systems.

A risk-based approach towards security uncovers vulnerabilities and allows institutions to channel investment toward important assets rather than diluting resources with a blanket solution. For example, when a critical business system has a significant security update, the update is tagged as priority and completed.

The weakness in the colleges' HR platform was similar to the one exploited in the 2017 Equifax breach that compromised the data of 148-million consumers. It also emphasized how cyber breaches can target things other than information to steal.

Other related attacks see cyber criminals inject a malicious code on each website visitor, enabling the hacker to use their power and CPU capacity to mine cryptocurrencies.

Rising Demand for Computing Power

Mining cryptocurrencies can require huge amounts of power – Icelandic data centres mining cryptocurrencies are expected to consume more electricity than that country's entire population in 2018, according to private utility HS Orka.

Cryptocurrencies use blockchain technology to validate each transaction on virtual ledgers. To add a block, participants must decipher complex cryptographic puzzles, a process which can produce tens of quintillion guesses, absorbing energy and CPUs all the while.

The first miner to solve the equation adds the next block to the block chain, claims the transaction fee and earns new coins. As the value of cryptocurrency skyrocketed, so did the number of miners and the horsepower needed to build the block chain.

It rapidly got to a point where it was no longer economically efficient to use personal hardware and power to mine bitcoins, prompting hackers to tap into other hardware platforms to supply the CPU and power. Hackers can do this is by injecting software codes in through website ads that use JavaScript, or infecting public Wi-Fi networks like those used in coffee shops, supermarkets or airports.

Red Flags

• Slow internet connections
• Computer operations are taking much longer
• CPU activity spikes
• Large battery drain

Preventative Measures 

• Run ad blockers on private computers
• Ensure critical assets are prioritized in your risk management plan
• Update cyber security programs on a frequent, regular basis

While a power drain might seem an inconvenience, cryptojackers are a millisecond away from tapping into post secondary institutions' critical personal and financial data. And as long as cryptocurrency mining remains lucrative, mining malware will continue to improve and proliferate.

For information on how MNP can help, contact:

Eugene Ng, Cyber Security Leader, Eastern Canada, at 905.607.9777 or [email protected]

Cliff Trollope, National Leader, Business Resilience Services, at 416.596.1711 ext 3851 or [email protected]