This post is authored by Ashlee Benge.
Despite the recent devaluation of some cryptocurrencies, illicit cryptocurrency miners remain a lucrative and widespread attack vector in the threat landscape. These miners are easy to deploy, and attackers see it as a quick way to steal other users' processing power to generate cryptocurrency. These attacks are harder to notice than a traditional denial-of-service or malware campaign, resulting in reduced risk and a more stable foothold for a malicious actor. The Cyber Threat Alliance, with contributions from Cisco Talos and other CTA members, has released a whitepaper detailing the rise of cryptomining attacks that outlines what you — and your organization — should know about these kinds of campaigns.
This paper covers the fact that there is a low technical barrier to entry for attackers, and that there are accessible patches to protect users from many of these attacks. Because cryptomining campaigns are easy to launch, a broader set of actors have engaged in this activity, resulting in a higher rate of attacks. Talos often observes multiple actors with illicit cryptomining software on the same compromised box. The use of well-known vulnerabilities by attackers essentially turns this problem into a canary-in-the-coalmine situation for defenders. If you discover unauthorized cryptomining software on one of your assets, there is a high likelihood that other actors have also leveraged the weaknesses in your systems to gain access — potentially for more damaging purposes.
Snort signatures exist to provide coverage for a variety of miner downloads, malware variants related to cryptocurrency miners and to block protocols commonly used by miners.
The following SIDs detect incoming clients and miner downloads:
44692-44693, 45265-45268, 45809-45810, 45949-45952, 46365-46366 and 46370-46372.
The following SIDs detect malware variants known to be associated with miners:
20035, 20057, 26395, 28399, 28410-28411, 29493 - 29494, 29666, 30551- 30552, 31271- 31273, 31531 - 31533, 32013, 33149, 43467 - 43468, 44895 - 44899, 45468 - 45473, 45548, 45826 - 45827, 46238 - 46240.
The following SIDs detect Stratum protocols used by cryptocurrency workers:
26437, 40840 - 40842, 45417, 45549 - 45550, 45825, 45955.
Additional rules may be released at a future date, and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Console or Snort.org.
Despite the recent devaluation of some cryptocurrencies, illicit cryptocurrency miners remain a lucrative and widespread attack vector in the threat landscape. These miners are easy to deploy, and attackers see it as a quick way to steal other users' processing power to generate cryptocurrency. These attacks are harder to notice than a traditional denial-of-service or malware campaign, resulting in reduced risk and a more stable foothold for a malicious actor. The Cyber Threat Alliance, with contributions from Cisco Talos and other CTA members, has released a whitepaper detailing the rise of cryptomining attacks that outlines what you — and your organization — should know about these kinds of campaigns.
This paper covers the fact that there is a low technical barrier to entry for attackers, and that there are accessible patches to protect users from many of these attacks. Because cryptomining campaigns are easy to launch, a broader set of actors have engaged in this activity, resulting in a higher rate of attacks. Talos often observes multiple actors with illicit cryptomining software on the same compromised box. The use of well-known vulnerabilities by attackers essentially turns this problem into a canary-in-the-coalmine situation for defenders. If you discover unauthorized cryptomining software on one of your assets, there is a high likelihood that other actors have also leveraged the weaknesses in your systems to gain access — potentially for more damaging purposes.
Prior Coverage
Snort signatures exist to provide coverage for a variety of miner downloads, malware variants related to cryptocurrency miners and to block protocols commonly used by miners.
The following SIDs detect incoming clients and miner downloads:
44692-44693, 45265-45268, 45809-45810, 45949-45952, 46365-46366 and 46370-46372.
The following SIDs detect malware variants known to be associated with miners:
20035, 20057, 26395, 28399, 28410-28411, 29493 - 29494, 29666, 30551- 30552, 31271- 31273, 31531 - 31533, 32013, 33149, 43467 - 43468, 44895 - 44899, 45468 - 45473, 45548, 45826 - 45827, 46238 - 46240.
The following SIDs detect Stratum protocols used by cryptocurrency workers:
26437, 40840 - 40842, 45417, 45549 - 45550, 45825, 45955.
Additional rules may be released at a future date, and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Console or Snort.org.
