Cyberbit discovers international airport riddled with Bitcoin-mining malware

Cyberbit provides a unique portfolio of products for cybersecurity training, simulation, detection, and response for the converged IT and OT attack surface. Cyberbit’s product portfolio is based on battle-proven technologies deployed in government and military organizations, made available to the commercial market since 2015, and includes: Cyberbit Range, the world-leading simulated training platform for cybersecurity practitioners; SCADAShield and SCADAShield Mobile for protecting critical infrastructure networks; SOC 3D, a Security Orchestration, Automation and Response (SOAR) platform proven to triple SOC capacity; and Endpoint Detection and Response (EDR) for sensitive organizations and air-gapped networks. Cyberbit says its computer security software helped uncover a large infection of cryptocurrency mining software at an unnamed "international airport in Europe" where the majority of workstations were infected with active malware.

The company won't name its client but in a blog post, its researchers said that standard types of anti-virus software would have failed to catch the crypto-miners, including the system the airport had deployed on its network. Cyberbit's Endpoint Detection and Response (EDR) technology analyzes system performance and user activities and looks for abnormal data. It was the high processing requirements of crypto-mining software that providing the clues that unauthorized processes were running.

Cyberbit researchers said that the intruders had created a variant of a known crypto-miner that allowed it to slip by computer security defenses heavily reliant on anti-virus software which rely on previously discovered signatures and models of attack.Cyberbit's approach is to look for abnormal behaviors in IT systems in real-time and identify attacks that carry no easily identifiable signature or method.

The discovery of the infected international airport creates the question:  how many more international airports have unknown malware?

A crypto-miner stealing compute cycles from an airport IT system has potential widespread repercussions in a large region and beyond. Airport information systems could slowdown and maybe fail, creating chaos among departing and arriving passengers, and many other problems. Crypto-miners are relatively easy to detect because of their high processing requirements but most malware is small and designed to be discreet and therefore far harder to detect.

If airports have hidden crypto miners already running who knows what else has penetrated into these vital IT systems