Cryptojacking via cryptomining malware impacts server performance – and many organizations may not even realize their servers have been cryptojacked.
The term cryptojacking is used to describe the process of maliciously cryptomining using malware-infected computers.
To prevent servers such as MySQL servers from being cryptojacked, organizations need to be able to spot the telltale signs of intrusion.
What is Crypto Mining?
Cryptomining is the practice of using computers to perform complex calculations that maintain and develop the blockchain ledger of cryptocurrency transactions. Bitcoin is currently the most well-known type of cryptocurrency, but others exist and can also be mined.
The incentive for miners is that they are rewarded for their work with crypto tokens. Each token represents a small fraction of a bitcoin with an associated monetary value. The current value of a single bitcoin is hovering near $50,000 potentially making mining very lucrative.
Unfortunately, the ability to conduct viable crypto mining is far beyond the means of the average computer user. The calculations required to verify the blockchain and reward miners are extremely processor-intensive.
Effective crypto mining usually involves a large pool of miners and computers working together to perform the calculations.
So far, this is all a perfectly legal endeavor that will result in bitcoin or other cryptocurrencies being generated for successful miners.
To keep things profitable, a balance must be struck between the cost of mining and the potential rewards in cryptocurrency. For this reason, China, with its inexpensive electricity, is home to the largest community of cryptominers.
What is Cryptojacking?
Cryptojacking describes the process of cryptomining with hijacked computing resources.
Considering the value of bitcoin, and the processing power required to mine it, cryptojacking presents a lucrative path for cybercriminals.
Cryptojacking takes advantage of an organization’s servers to perform the necessary calculations and eliminate the cryptominers’ overhead. Every crypto token earned represents profit when there are no expenses to consider.
Hackers have developed cryptomining malware designed to use compromised computers to perform mining calculations. A case in point is the XMRig Miner that concentrates on the Monero cryptocurrency.
It attacks public-facing MySQL, Tomcat, and Jenkins systems that have weak passwords.
Signs Your Servers Have Been Cryptojacked
It can be extremely difficult to identify cryptomining malware once it has been deployed in your environment because many “legitimate” cryptomining tools are not caught by standard anti-virus software.
The same software is used on systems dedicated to mining as well as those that have been cryptojacked.
Stopping the malware from reaching enterprise servers requires a comprehensive security initiative that includes training users to avoid inadvertently introducing malware into the environment.
Successful phishing expeditions are the most common method of delivering cryptomining software to unsuspecting computer systems.
How to Keep a MySQL Server Environment Free From Cryptomining Malware
MySQL database administrators (DBAs) spend a lot of time searching for ways to optimize the performance of their systems.
They may end up looking at everything from network bandwidth to long-running queries and still be mystified as to why their servers are underperforming.
The reason the servers are not performing up to expectations may be that they are infected with cryptomining software.
While there is no silver bullet available to protect your MySQL server environment from rogue cryptominers, some preventive measures can be taken.
To identify cryptomining malware, organizations should look for the following telltale signs:
- Due to the resource strain put on cryptojacked systems, they are prone to overheating.
- The intensive calculations result in excessive CPU usage which can lead to degraded system performance.
- Unexpected spikes in cloud bills can indicate that cybercriminals have obtained your credentials and are allocating additional resources for mining activities.
- Unexplained attempts to send outbound data from the infected servers back to the cybercriminals.
Once identified, the servers can be closely examined by system admins and the security team to isolate and remove the offensive malware.
Aside from the noticeable effects of overheating, identifying a potentially cryptojacked system requires analyzing and comparing historical data.
This should be fairly straightforward as far as cloud billing is concerned, but what about the MySQL server environment itself?
The Right Monitoring Tool for the Job
IDERA’s SQL Diagnostic Manager for MySQL is a dedicated database monitoring application for MySQL and MariaDB servers.
Its features can help identify performance issues, through deep insight into the operation of your MySQL databases and servers. This can be used to recognize potential cryptomining malware.
SQL Diagnostic Manager for MySQL gives teams the capability to browse historical monitoring data stored in the tool’s repository.
This information can be instrumental in identifying changes in usage patterns that may indicate systems have been compromised with cryptomining software.
If there is no other valid explanation for sudden usage spikes, malware could be the culprit.
In some cases, isolating the problem needs to be done through the process of elimination.
Investigating performance issues with SQL Diagnostic Manager for MySQL will enable teams to rule out misbehaving queries and other typical issues as the source of the problem.
Once other causes have been eliminated, teams can concentrate on finding and removing the malicious code from the MySQL environment.