Cryptominer malware
Impact, detections, and mitigation
Cryptomining
- Blockchain based cryptocurrencies
- Proof-of-work
Impacts
- Performance impact
- DoS legitimate users
- Increased billing on cloud services
- Increased power consumption for on-premise
- Mining software could be bundled with other malware
See: https://attack.mitre.org/techniques/T1496/
Resource hijacking
Access
- Malspam emails
- Browser extension
- Existing vulnerabilities
- eg. Oracle WebLogic Server (CVE-2017-10271)
- Coinhive
- Typosquatting
- twitter.com.com
- Employee
- Phishing accounts
Detection
- Resource alerting
- Cloud billing
- Server CPU usage (xymon)
- Endpoint monitoring & detection
- Velociraptor
- Google Rapid Response (GRR)
- SIEM
- Detect on known mining IPs & URLs
- SElinux audit logs
- ELK stack
Remediation
Containment
Eradication
- Liaise with the system owner and other stakeholders to isolate the infection
- Take a snapshot / image before doing anything
- Remove the malicious software
- Recover from known good backup
Remediation (cont.)
Recovery
Lessons Learned / Post-mortem
- Verify that the system is clean
- Liaise with the system owner to bring it back to production
- Encourage a blame-free culture
- Identify how the infection happened
- Plan steps to prevent it happening in the future
- Write a report for future reference / management
Prevention
-
Malspam emails
- Spam email filtering and link protection
- Blocking suspicious attachments
- Least privilege for users
-
Browser
- Restrict extensions
- Ad-blocker, Nocoin, minerblock
-
Existing vulnerabilities
- Regular patch cycle
- Keep up to date if there's a new exploit that needs out-of-cycle patching
- eg. new versions of Firefox require signed extensions
Prevention (cont.)
- Employee
- Usage policies
- MotD banner
- Phishing accounts
- 2FA
- Phishing block lists
- User education
* https://www.auscert.org.au/blog/2018-01-05-attackers-using-remote-coding-execution-vulnerabilities-install-cryptocurrency-miners-vulnerable-hosts
- Additionally:
- Firewall known mining IPs *
- Application whitelisting
- Resource alerting
- Install what users need / want
Questions
Cryptominer malware
By Charelle Collett
Cryptominer malware
- 879