Skip to main content

Potential Cryptomining Attack on Host

This alert occurs when Lacework detects unauthorized cryptocurrency mining on your host.

Why this alert is important

Cryptomining attack presents a unique set of cybersecurity challenges and may also indicate a need to review and harden cybersecurity practices.

Investigation

Follow these steps to investigate the alert:

  1. Monitor your host's resource consumption, such as CPU, memory, and network usage. Unusually high utilization may indicate cryptomining activity.
  2. Identify any unfamiliar or suspicious processes running on the host. Look for processes that consume a significant amount of CPU or perform intensive calculations.
  3. Inspect the network traffic originating from the host. Look for connections to known cryptomining pools or suspicious IP addresses associated with mining operations.
  4. Examine system logs, application logs, and security logs for any unusual activities or errors related to cryptomining. Look for entries that mention mining software or mining-related activities. Run a malware scan on the host using reputable antivirus or anti-malware software. This can help detect any malicious software or cryptomining malware on the system.
  5. Review user accounts and privileges on the host. Check for any unauthorized or suspicious user accounts that may have been created to carry out the mining activity.
  6. Examine startup processes, cron jobs, and other scripts running on the host. Malicious actors often use these to launch mining software on the system persistently.
  7. Assess the host for known vulnerabilities or outdated software versions that could have been exploited to gain unauthorized access for cryptomining purposes.
  8. Coordinate with your network and security teams to analyze network logs, intrusion detection systems, and other security tools that may provide additional insights into the attack.

Resolution

Follow these steps to resolve the alert:

  1. After the cryptomining attack is confirmed, disconnect the compromised host from the network to prevent further damage and limit the attacker's access.
  2. Analyze the host's logs, network traffic, and other information to determine how the attacker gained access. Look for any vulnerabilities or misconfigurations that were exploited.
  3. Identify and remove any cryptomining software or malware from the affected host. Ensure the removal process is thorough to prevent any attack remnants. Utilize reputable antivirus or anti-malware tools to scan and eliminate malicious components.
  4. Update the host's software, applications, and operating system to the latest versions. Apply security patches and fixes for known vulnerabilities exploited in the attack. Regularly maintain and update your systems to minimize the risk of future attacks.
  5. Assess the user accounts and access permissions on the host. Disable or remove any unauthorized or suspicious accounts created by the attacker. Implement strong password policies and multi-factor authentication to enhance security.
  6. Implement security best practices, such as disabling unnecessary services, restricting remote access, and configuring firewalls and intrusion detection systems. Review and strengthen the host's security settings to minimize the risk of future attacks.
  7. Educate your system administrators and users about the risks of cryptomining attacks and provide guidance on best practices for maintaining a secure environment. Promote awareness of phishing attempts and social engineering techniques used to gain unauthorized access.
  8. Implement robust monitoring and logging solutions to detect any unusual behavior or indicators of cryptomining activity. Continuously monitor system resources, network traffic, and user activities to identify any potential reoccurrence or new security threats.