University Networks Become Fertile Ground for Cryptomining

Sixty percent of cryptomining detections in a Vectra study occurred on higher-education networks.

Large, high-bandwidth university networks have become fertile ground for cryptomining activity by criminals and students, who are taking advantage of their free access to cash in on the crypto boom.

Automated threat management provider Vectra recently analyzed attack behavior patterns and trends from a sample of 246 of its enterprise customers across 14 industries, and it found that a startling 60% of all cryptocurrency mining detections occurred in higher-education networks.

In comparison, the entertainment and leisure sector, which ranked second, accounted for just 6% of all detections; the financial sector, often thought to be a popular target, had just 3%.

University networks — with their high-bandwidth capacities and large volume of students with relatively unprotected systems — make for an attractive target for cryptomining activity, says Chris Morales, Vectra's head of security analytics.

The tendency by students to use untrusted sites to download illegal movies and music, for instance, make their systems easy targets for hosting cryptomining software. The free access to the Internet and electric power that is available to students is another factor.

"Cryptocurrency mining converts electricity to monetary value by using computational resources," Morales says. "This is very expensive to accomplish without a free source of power and a lot of computing resources with minimal security controls that are exposed to the Internet."

University networks fit the bill and are ideal pastures for "cryptojackers" and for those looking to earn money performing cryptomining from their dorm rooms using their own personal systems, he says. "Even at the current value of $9,000 per bitcoin, it remains a lucrative temptation for both attackers and students with free electricity they can convert into monetary value."

Because the data Vectra collects is anonymized, it is hard to tell for sure to what extent students are engaged in cryptomining activity. "[But] we do know there is a mix of students and attackers performing cryptomining in university networks," based on information from university customers, Morales says.

Unlike corporate networks, which have strict security controls for curbing cryptocurrency mining, universities have few of the same measures. At best, they can advise students on how to protect themselves, help them clean infected systems, and create awareness of phishing emails, suspicious websites, and online ads, he says.

Vectra's data showed systems that were part of or connected to university networks had considerably more malicious behavior overall — like command and control communications, botnet activity, and lateral movement — than systems in other sectors.

Attacker behavior volumes, at 3,715 detections per 10,000 devices, was nearly 25% higher on university networks than on systems in the engineering industry, the sector with the second highest volume of malicious activity (2,918 detections per 10,000 devices).

Command and control activity in higher-education environments, at 2,205 detections per 10,000 devices, was nearly five times the industry average of 460 detections per 10,000 devices. Botnet activity accounted for 151 detections per 10,000 devices, compared with the industry average of 33 detections.

Attacker Behaviors

Vectra's data, gathered from some 4.5 million customer devices and workloads, adds to numerous other data sets over the years showing higher-education networks to be among the most poorly secured against threats compared with any other sector.

The data also showed what attackers generally tend to do once they gain access to a system or network. "Most security teams have in-depth knowledge of the techniques an attacker uses to get through the prevention layer," Morales says. "[Vectra's report] provides insight into the attacker behaviors they need to detect in order to stop active attacks in real time."

On average, organizations in Vectra's study had 818 devices exhibiting malicious behavior over a one-month period. Command and control activity accounted for the highest proportion of attack behaviors detected on compromised systems. In most cases, such activity represents the first stage of an attack, Morales says.

Other common malicious activities that Vectra detected included lateral movement, reconnaissance, data exfiltration, and botnet activity. Vectra's data showed that systems that are part of a botnet are being used in a variety of malicious ways, the most common of them being to serve ads. The vendor found that about 8% of the botnets are being used in bitcoin mining, while barely 2% are being used in distributed denial-of-service attacks.

"To me, the biggest point I noticed is that ransomware is not the biggest threat we are facing," Morales says.

Related Content:

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading: