Cryptominer malware

Impact, detections, and mitigation

Cryptomining

  • Blockchain based cryptocurrencies
  • Proof-of-work

Impacts

  • Performance impact
  • DoS legitimate users
  • Increased billing on cloud services
  • Increased power consumption for on-premise
  • Mining software could be bundled with other malware

See: https://attack.mitre.org/techniques/T1496/

Resource hijacking

Access

  • Malspam emails
  • Browser extension
  • Existing vulnerabilities
  • Coinhive
  • Typosquatting
    • twitter.com.com
  • Employee
  • Phishing accounts

Detection

  • Resource alerting
    • Cloud billing
    • Server CPU usage (xymon)
  • Endpoint monitoring & detection
    • Velociraptor
    • Google Rapid Response (GRR)
  • SIEM
    • Detect on known mining IPs & URLs
    • SElinux audit logs
    • ELK stack

Remediation

Containment

Eradication

  • Liaise with the system owner and other stakeholders to isolate the infection
  • Take a snapshot / image before doing anything
  • Remove the malicious software
  • Recover from known good backup

Remediation (cont.)

Recovery

Lessons Learned / Post-mortem

  • Verify that the system is clean
  • Liaise with the system owner to bring it back to production
  • Encourage a blame-free culture
  • Identify how the infection happened
  • Plan steps to prevent it happening in the future
  • Write a report for future reference / management

Prevention

  • Malspam emails
    • Spam email filtering and link protection
    • Blocking suspicious attachments
    • Least privilege for users
  • Browser
    • Restrict extensions
    • Ad-blocker, Nocoin, minerblock
  • Existing vulnerabilities
    • Regular patch cycle
    • Keep up to date if there's a new exploit that needs out-of-cycle patching
    • eg. new versions of Firefox require signed extensions

Prevention (cont.)

  • Employee
    • Usage policies
    • MotD banner
  • Phishing accounts
    • 2FA
    • Phishing block lists
    • User education

* https://www.auscert.org.au/blog/2018-01-05-attackers-using-remote-coding-execution-vulnerabilities-install-cryptocurrency-miners-vulnerable-hosts

  • Additionally:
    • Firewall known mining IPs *
    • Application whitelisting
    • Resource alerting
    • Install what users need / want

Questions

Made with Slides.com