The PacketWatch Intelligence Team
During the surge of Bitcoin prices in 2017, nefarious actors hacked everything from web servers to browsers in an attempt to mine cryptocurrency. We even saw one of our client’s network routers be co-opted as coin miners!
We anticipate a similar surge of mining attacks in the coming weeks and months as cryptocurrency values soar once again, and new varieties flood the market. For example, Bitcoin’s value has skyrocketed to almost $40,000 in recent weeks, which will undoubtedly result in an increase in coin-mining hacking attempts.
Ideal targets are unpatched software systems and IoT devices. It’s not always possible to patch older software systems, and let’s face it; most organizations don’t know everything on their network. That’s where a combination of defenses can help.
Advanced endpoint protection, such as CrowdStrike Falcon, is something that we use and strongly recommend. Having such Endpoint Detection & Response (EDR) capabilities on your hosts is becoming an absolute “must” in this day and age of memory-resident file-less and polymorphic malware. Unlike traditional anti-virus that relies on matching signatures of known malware, EDR monitors file activity, processes, and communications on a host to detect known and unknown threats and will automatically block suspicious activity in real-time.
Unfortunately, not every endpoint can have EDR installed, such as printers, IoT, and other network-connected devices, and that’s where network monitoring becomes a key companion capability. PacketWatch monitors and records all network traffic and can spot the telltale signs of coin-mining activity, even on those devices that cannot be protected by EDR.
In December 2020, an enterprise-sized organization hired PacketWatch to help battle an incident that involved such a compromise. In this example, a PHP exploit was used to compromise a server and install a Bitcoin miner.
Using PacketWatch’s full packet capture to replay the coin-miner traffic, analysts were able to reverse engineer the scripts executed. As soon as the attackers compromised the Server, they also began running scripts to remove other competing coin miners that might be present in the environment, after which the script would harden the asset to prevent further intrusions. This level of visibility gave investigators a complete picture of the incident and left no questions about what had occurred and what the attackers were after. The client was able to clean the identified server and return to normal operation quickly.