{"id":3689,"date":"2025-06-25T05:18:25","date_gmt":"2025-06-25T05:18:25","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3689"},"modified":"2025-06-25T05:18:25","modified_gmt":"2025-06-25T05:18:25","slug":"akamai-proposes-tool-to-defang-cryptomining-botnets","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3689","title":{"rendered":"Akamai proposes tool to defang cryptomining botnets"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

For years, CSOs have been fighting botnets that are stealing processing power<\/a> from servers that have been infected with cryptomining malware. Tuesday, cloud computing provider Akamai (Nasdaq:AKAM<\/a>) described a potential solution: a proof-of-concept tool that lets defenders stop miners\u2019 proxy servers from using compromised enterprise computers.<\/p>\n

In its report, Akamai said that, by using the tool, it was able to stop one cryptomining proxy (a server that distributes tasks to the miners) that was generating roughly US$26,000 a year, and halt the mining by all victims that were connected to it. Had Akamai targeted additional proxies in this botnet, it believes the attackers might have abandoned the campaign.<\/p>\n

The researchers admit that those behind this particular campaign could try to make changes to the botnet to put it back into action \u2013 but if they did, they\u2019d risk being identified.<\/p>\n

However, botnet creators don\u2019t always use a proxy. In many cases, victims will connect directly to the pool<\/a>, so the tactic of submitting bad shares will simply ban the defenders\u2019 IP address from the pool without affecting the mining operation. <\/p>\n

In that case, Akamai proposes including the capability to target the botnet\u2019s digital wallet, a set of cryptography secrets that allows users to transact assets over the blockchain, which must be present on a victim machine and is therefore vulnerable to defenders using Akamai\u2019s tool, XMRogue. The tactic uses a script to send more than 1,000 simultaneous login requests using the attacker\u2019s wallet,\u00a0which will force the pool to ban the wallet.<\/p>\n

This tactic could interrupt more mining operations, but it isn\u2019t a permanent solution, Akamai admits. Once it stopped the multiple login connections in a test, the campaign\u2019s mining rate recovered.<\/p>\n

\u201cThe tool we shared is currently a proof of concept, not yet ready for production use,\u201d report author\u00a0Maor Dahan said in an email to CSO. While the technique requires some expertise to use effectively, he said one of its key strengths is that a single organization can take down an entire botnet and \u201crelease\u201d all the victims, even those who never knew they were compromised.<\/p>\n

\u00a0\u201cOur goal is to spark new detection and prevention strategies, and eventually enable CSOs to quickly mitigate the impact of active cryptominer<\/a> campaigns,\u201d the report<\/a> said.<\/p>\n

Still, cybersecurity experts believe the tool has promise.<\/p>\n

\u201cI love this,\u201d said David Shipley, CEO of Canadian security awareness provider Beauceron Security. \u201cImposing costs is the only way we win in the long run against cybercrime. This isn\u2019t a silver bullet, but it will be a major pain for cryptominer botnet creators and maintainers. As those costs rise, it helps breaks the criminal business model.<\/p>\n

\u201cThis is clever, helpful, and much needed,\u201d he added. \u201cOn the downside, cryptomining criminals may move from this mostly annoying level of crime into more destructive crime as these kinds of disruption efforts get results.\u201d<\/p>\n

The method appears to work, noted Rob T. Lee<\/a>, chief of research at the SANS Institute. It\u2019s backed by a proof-of-concept and real data, he told CSO in an email, and could be used by blue teams, incident responders, or SOC analysts and not just specialized researchers.<\/p>\n

But, he added, the tool won\u2019t be a long-term fix. \u201cSmarter botnets will adapt,\u201d he said. \u201cDecentralized ones won\u2019t care.\u201d<\/p>\n

A rare win for defenders<\/h2>\n

Still, he said \u201cAkamai just published a rare win for defenders, which in the cryptomining botnet space is truly rare.\u00a0Being able to dismantle infrastructure \u2014 similar to attacking ransomware as a service infrastructure \u2014 there will be immediate wins \u2026 if the capability is active.\u201d\u00a0<\/p>\n

Akamai says the idea behind its tool, is simple: By connecting to a malicious proxy as a miner, defenders can submit invalid mining job results \u2014 what Akamai calls \u201cbad shares\u201d \u2014 that will bypass the proxy validation and will be submitted to the pool. Consecutive bad shares will eventually get the proxy banned, effectively halting mining operations for the entire cryptomining botnet.<\/p>\n

To test the technique, Akamai used XMRogue against a mining campaign and was able to extract the addresses of all mining proxies, identify the central proxy server, and ban it from the pool. It worked. When Akamai first documented this campaign, it generated almost $50,000 annually, but\u00a0after it disrupted just one proxy, the campaign\u2019s annual revenue decreased by 76% to $12,000. By targeting additional proxies, Akamai believes the revenue could have potentially dropped to zero. \u201cThis kind of impact could easily force the attackers to abandon their campaign for good, or take a risk of being identified when making changes that are being monitored,\u201d Akamai concluded.<\/p>\n

This doesn\u2019t remove the malicious code from the systems, Lee of the SANS Institute pointed out, but is essentially a disabling tactic to block the core infrastructure around the mining \u201cin a very cool and creative way.\u201d<\/p>\n

It will still take astute incident responders and malware analysts to eliminate the botnet software on each endpoint, he pointed out.\u00a0\u201cHowever,\u201d he added, \u201cby being able to combine techniques targeting the botnets directly and the infrastructure, let\u2019s consider this a massive win for today.\u201d<\/p>\n

A new way of thinking<\/h2>\n

As cyber attacks evolve, it\u2019s important for organizations to have a clear approach to how they want to respond, commented Fernando Montenegro<\/a>, vice-president and cybersecurity practice lead at The Futurum Group. \u201cThat response may be different at the\u00a0individual organization level when compared to the public response at large. I mention this because\u00a0I think actions such as these are really interesting and can be helpful, but to me, they fall closer to interdiction and\u00a0public response more than individual organizations. Looking at the techniques themselves, I think it\u2019s brilliant to go after the monetization goals that attackers have.\u201d\u00a0<\/p>\n

The \u2018bad shares\u2019 technique has proven highly effective, noted Akamai\u2019s Dahan. \u201cIn some cases, it allowed us to completely shut down entire botnets. But our research goes beyond a single tool; it introduces a new way of thinking. Despite their distributed nature, malicious cryptomining networks almost always rely on a central \u2018bottleneck\u2019 that can be targeted to disrupt operations. While attackers may adapt to bypass this specific method, we believe defenders can uncover similar weak points across other cryptocurrencies and mining architectures.\u201d<\/p>\n

Next read this:<\/p>\n

Mirai botnet weaponizes PoC to exploit Wazuh open-source XDR flaw<\/a><\/p>\n

New botnet hijacks AI-powered security tool on Asus routers<\/a><\/p>\n

Badbox Android botnet disrupted through coordinated threat hunting<\/a>><\/p><\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

For years, CSOs have been fighting botnets that are stealing processing power from servers that have been infected with cryptomining malware. Tuesday, cloud computing provider Akamai (Nasdaq:AKAM) described a potential solution: a proof-of-concept tool that lets defenders stop miners\u2019 proxy servers from using compromised enterprise computers. In its report, Akamai said that, by using the […]<\/p>\n","protected":false},"author":0,"featured_media":3678,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3689","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3689"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3689"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3689\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3678"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3689"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3689"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3689"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}