Cyberbit discovers international airport riddled with Bitcoin-mining malware

Here's how known malware exploits can be tweaked to get past current security systems but can't hide from behavior analysis
Written by Tom Foremski, Contributor

Cyberbit says its computer security software helped uncover a large infection of cryptocurrency mining software at an unnamed "international airport in Europe" where the majority of workstations were infected with active malware.

The company won't name its client but in a blog post, its researchers said that standard types of anti-virus software would have failed to catch the crypto-miners, including the system the airport had deployed on its network. 

Cyberbit's Endpoint Detection and Response (EDR) technology analyzes system performance and user activities and looks for abnormal data. It was the high processing requirements of crypto-mining software that providing the clues that unauthorized processes were running.

Cyberbit researchers said that the intruders had created a variant of a known crypto-miner that allowed it to slip by computer security defenses heavily reliant on anti-virus software which rely on previously discovered signatures and models of attack.

Cyberbit's approach is to look for abnormal behaviors in IT systems in real-time and identify attacks that carry no easily identifiable signature or method.

The discovery of the infected international airport creates the question:  how many more international airports have unknown malware?  

A crypto-miner stealing compute cycles from an airport IT system has potential widespread repercussions in a large region and beyond. Airport information systems could slowdown and maybe fail, creating chaos among departing and arriving passengers, and many other problems.

Crypto-miners are relatively easy to detect because of their high processing requirements but most malware is small and designed to be discreet and therefore far harder to detect.

If airports have hidden crypto miners already running who knows what else has penetrated into these vital IT systems?

Editorial standards