Many IT departments ignore local admin passwords, especially on endpoints and VDI guests. Many times I’ve heard, “It’s only local rights, it’s not like they can access the network”. Well there still was risk, back then SPAM was big business and being able to relay it through clean IP’s could net you some serious cash. But I never really saw that avenue of attack being used in a widespread fashion.
Fast-forward to the era of Bitcoin and there is a huge financial incentive for hackers to gain control over any available compute resource to mine cryptocurrency, even the lowly desktop. If you’re using a single local admin password, all they have to do is breach one and now they have access to potentially hundreds or thousands of desktops.
Starting about Q3 last year, I started seeing a marked increase in the number of attacks using this method but they have been around at least a year or more. The first applications were clumsy, users noticed a slowdown during business hours and quickly reported it. Then the attackers got cleaver and realized that their mining would be more profitable over the long term if they didn’t impact performance of local desktop applications. The meant less hashes per hour but without a user to report an issue, they may go undetected for weeks or months.
Most of the attacks I’ve seen recently could have been easily been prevented by simply having a random password for each machine. It’s also been suggested that companies disable local admin accounts but I almost always disagree with this. There are times where you may need to access the machine using local credentials.
Bottom line, randomize all of your local admin passwords. It will save you not just from crytpo miners but a whole host of other attacks.