What a beautiful cryptocurrency mining operation you’re funding…

cryptocurrency mining

Lately there has been a lot of buzz around public and private cloud machines being compromised and used to mine digital currency, and every day we’re presented with new opportunities to learn from the misfortunes of others.

Because of the expense associated with mining digital currency[1] and the sometimes wide-open security posture of public cloud servers, these machines lend themselves to becoming targets of opportunity for illicit cryptocurrency mining operations.  In this post I’ll outline some preventative measures that can be taken to prevent your cloud servers from being used to mine digital currency by using CloudPassage Halo.

Bitcoin is arguably the most widely-recognized cryptocurrency in the world.  For a quick run-down on Bitcoin and the mining process, look here[2].  As a result of its proliferation it can be very expensive to mine… if you have to pay the power and computing utility bill.  Fortunately for those who don’t like to pay for such things, many public cloud operating systems are left in a near-default state- wide open and unsecured.

We’re going to have a look at some basic best practices that will make your systems a hard target, and we’ll discuss some policies for Indicators of Compromise (IOC) that will alert you before your hosting bill goes off the charts.

First, let’s take a high-level look at a real-life scenario:

 In his blog post[3] on January 7th, Rich Mogull details how his Amazon AWS credentials were obtained by a bad actor and used to spin up a number of virtual machines for mining bitcoin.  In addition to the methods he has taken to further reduce the potential for easy compromise, there are a few more things that Halo customers can do that can offer a generally tighter grip on your virtual infrastructure:

GhostPorts: Since local console access (virtual or otherwise) isn’t always available for cloud servers, SSH is a common method of access… use GhostPorts to make sure it’s only available where, when, and to whom it’s absolutely necessary.

Firewall Orchestration: You should use Halo to manage your host firewalls- not just for inbound communication but for egress as well.  Since mining pools often run on uncommon ports (tcp:3333, tcp:8332, etc) having a default deny for outbound connections is a no-brainer.  Some mining pools offer fallback to HTTP and HTTPS ports, so this isn’t a perfect approach unless you can also limit your egress traffic by IP as well as destination port.

File Integrity Monitoring: A great spot to monitor to make sure that nothing unauthorized kicks off at boot is your startup configuration.  On most distributions, your services are managed by init, so do file integrity monitoring on /etc/init.d/*, /etc/inittab, /etc/rc.local (and anything it references), and all your /etc/rc{1-6}.d directories.

Auditing your cloud servers: If you have CloudPassage Halo installed on all of your cloud servers, seeing one appear which does not have the Halo daemon installed may indicate that your cloud hosting service account has been compromised.  By using this script located in the CloudPassage Toolbox[4] you can ascertain which machines in your accounts do not have the Halo Agent installed.

Sometimes business requirements prevent us from being as tight with firewall communication as we would like, and compromises can happen in spite of our best efforts to secure our cloud infrastructure.  When preventative measures fail it is imperative to have a strategy for detection and remediation.

Some Bitcoin miners can be used to mine other bitcoin-based currencies like Litecoin, Peercoin, and Dogecoin.  We’re going to take a look at a couple of *coin miners and how to catch them before they blow up your bill.  For CPUMiner[5] and CudaMiner[6] we’ll look at three aspects- Benefits, Deployment, and Detection.  Remediation will depend on your internal policies.  If you have the time it would be interesting to forensically investigate the method of compromise, and if you don’t you can just destroy the cloud server and move on.

To download the policy to detect these two programs, go here[7]

  • Benefits: It’s pretty easy to install (precompiled binaries are available) and only depends on curl and jansson to run.
  • Deployment: You can grab a precompiled binary from SourceForge ( for a number of different platforms.  Or, you can build it on your own.  With so few running requirements, you just need to make sure that your dependencies are met and drop the binary in place, then add a line to /etc/rc.local to kick it off on boot.
  • Detection: Since you can drop the binary in a number of different places, a more accurate way of detecting it is checking your process table.  The process name is ‘minerd’.  Create a policy in Server Configuration Policies in CloudPassage Portal to trigger if this processname is detected.
  • Benefits: This miner makes use of Nvidia’s CUDA, which lets you leverage GPUs to get a faster rate of production- orders of magnitude faster than CPUMiner.
  • Deployment: Since this relies on specific hardware and drivers, the process is a little more involving.  You must install Nvidia’s CUDA as well as a number of other packages to get CUDAMiner running on a server.
  • Detection: If you follow the build instructions, the binary will land at /usr/local/bin/cudaminer.  Setting a system configuration policy to look for this file is a great place to start.  As with the CPUMiner detection section above, this is set in the Configuration Policies in the CloudPassage Portal.

To summarize, cloud computing requires a shift in mindset, away from the old datacenter model where the perimeter is tightly controlled.  When public attack surface is every host, a weak security posture can lead to not only data exfiltration or denial of service, but an enormous increase in your utility computing bill- especially when a compromised server can be utilized at maximum capacity to create monetary instruments like Bitcoin.

When each cloud server is a public target, you must harden and audit every single one.

[1]: [2]:[3]: [4]: [5]: [6]: [7]:

Stay up to date

Get the latest news and tips on protecting critical business assets.

Related Posts