Cloud Firewall can defend against mining worms by detecting and blocking malicious inbound and outbound traffic on the cloud in real time. This topic describes how to use Cloud Firewall and Security Center to defend against mining worms from the dimensions of prevention, detection, and damage control. In this topic, a cloud-based environment is used.
Edition limits
Cloud Firewall
You must use Cloud Firewall Premium Edition, Enterprise Edition, or Ultimate Edition. Cloud Firewall of these editions can detect and defend against mining worms. Cloud Firewall Free Edition cannot detect or defend against mining worms. If you want to use Cloud Firewall to detect and defend against mining worms, you must purchase Premium Edition, Enterprise Edition, or Ultimate Edition. For more information, see Purchase Cloud Firewall.
Security Center
The features supported by Security Center vary based on the editions of Security Center. For more information, see Functions and features.
Characteristics of mining programs
Mining programs can overclock the CPU, which consumes a large number of CPU resources and affects other applications that run on your server.
The characteristics of mining programs are similar to the characteristics of computer worms. After a mining program intrudes into your server, the mining program spreads to the servers that are deployed in the same internal network. After the servers are compromised, the mining program achieves persistence on the servers.
In most cases, mining programs spread to multiple system services and are difficult to remove from the system. Mining programs may repeatedly appear, and system commands may be replaced with malicious scripts. As a result, the system may run malicious scripts such as XOR DDoS. You must remove all trojans and persistent webshells from your server within the execution period of mining programs. This way, mining programs are prevented from appearing in the future.
How mining worms spread
The 2018 Cryptocurrency Mining Hijacker Report released by the Alibaba Cloud security team shows that the occurrence of common zero-day vulnerabilities is accompanied by the outbreak of mining worms. Mining worms occupy system resources, which may cause service interruption. Some mining worms, such as Xbash, may also be bundled with ransomware. This type of mining worm can result in economic and data loss for enterprises.
The Alibaba Cloud security team analyzes mining programs and concludes that the mining worms in the cloud exploit the following network vulnerabilities to spread:
Common vulnerabilities
Mining worms exploit common vulnerabilities in network applications, such as configuration errors, weak passwords, and brute-force attacks by using SSH, Remote Desktop Protocol (RDP), and Telnet, to continuously scan the Internet, launch attacks, and compromise hosts.
Zero-day and N-day vulnerabilities
Mining programs also exploit zero-day and N-day vulnerabilities to compromise a large number of hosts before the vulnerabilities are fixed.
Solutions to defense against mining worms
Phase | Solution | References |
Before intrusion | Configure access control policies in the Cloud Firewall console to allow traffic only from trusted addresses. | You can create outbound access control policies to allow traffic only to trusted public IP addresses and deny traffic to other IP addresses. For more information, see Access control policies. |
Enable the block mode in the Threat Engine Mode section in the Cloud Firewall console to block mining activities at the earliest opportunity. | ||
Use the intrusion prevention feature of Cloud Firewall to detect and block attack traffic in an efficient manner. | ||
Use the antivirus feature of Security Center to automatically block common viruses, malicious network connections, and webshell connections. The feature prevents mining activities on Elastic Compute Service (ECS) instances. | ||
Handle alerts in the Security Center console. You can check whether mining programs and connection to mining pools exist in ECS instances. | ||
During intrusion | Use the breach awareness feature of Cloud Firewall to detect mining worms. | You can find specific events and addresses that initiated outbound connections in the event list of the Breach Awareness page. For more information, see Use Cloud Firewall to detect mining worms. |
Use the intrusion prevention feature to control the damages of intrusions. | You can block downloads of malicious files by turning on Basic Policies on the Prevention Configuration page. For more information, see How do I use Cloud Firewall to immediately control the damages of mining worms? | |
Create access control policies in the Cloud Firewall console to deny connections of mining programs. | You can create outbound access control policies to allow traffic only to trusted public IP addresses and deny traffic to IP addresses of mining pools. | |
Use the best practices of Cloud Firewall based on ATT&CK. | Cloud Firewall provides various features for different ATT&CK stages. The features include basic protection, virtual patching, and threat intelligence. You can use the features to harden the security of your network. For more information, see Best practices of Cloud Firewall based on ATT&CK. | |
After intrusion | Use Security Center to track attacks that are launched by exploiting mining viruses. | View the source tracing results of attacks If no mining viruses are detected or no alerts are generated in seven days, mining viruses or trojans are removed. For more information about the query result, see Breach awareness. |
Use Cloud Firewall to defend against mining worms
Defense against mining worms that exploit common vulnerabilities
Some mining worms launch brute-force attacks such as SSH brute-force attacks and RDP brute-force attacks. To defend against these worms, Cloud Firewall provides the basic protection feature. This feature supports common methods to detect brute-force attacks. For example, the feature calculates the threshold for the logon retry attempts and limits the IP addresses from which the number of logon retry attempts exceeds the threshold. The feature also analyzes user access habits and frequency to ensure that normal access requests are allowed and abnormal requests are denied based on behavior models.
This feature takes advantage of the big data capabilities provided by Alibaba Cloud and generates precise defense rules based on the malicious attack samples accumulated in attack and defense by the Alibaba Cloud security team. This way, the feature can protect your assets against other worms that exploit common vulnerabilities, such as writing of crontab commands to Redis and UDF-based command execution in databases.
You can enable basic protection to defend against mining worms that exploit common vulnerabilities. To enable basic protection, perform the following steps:
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose
.On the IPS Configuration page, turn on Threat Intelligence in the Threat Intelligence section.
In the Advanced Settings section, turn on Basic Policies.
In the left-side navigation pane, choose
to view the detailed blocking logs on the Intrusion Prevention page.
Defense against mining worms that exploit zero-day and N-day vulnerabilities
If common zero-day and N-day vulnerabilities are not fixed at the earliest opportunity, these vulnerabilities are likely to be exploited by mining worms. Cloud Firewall analyzes attack traffic by using honeypots deployed across the network or obtains vulnerability intelligence by using Alibaba Cloud Crowdsourced Security Testing Platform. This way, Cloud Firewall can promptly detect zero-day and N-day vulnerabilities, obtain the proofs of concept (POCs) or exploits of these vulnerabilities, and generate virtual patches in advance.
You can enable virtual patching to defend against mining worms that exploit zero-day and N-day vulnerabilities. To enable virtual patching, perform the following steps:
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose
.In the Advanced Settings section, turn on Virtual Patching and click OK.
Click Configure in the lower-right corner of Virtual Patching to view the information about enabled virtual patching policies or manage the policies.
Use Cloud Firewall to detect mining worms
Even if the Internet firewall is enabled to prevent intrusions, hosts may still be vulnerable to mining worms. Mining worms can spread from a development machine to a production network over a VPN. If the system images and Docker images used for O&M are inserted with mining viruses, a large number of hosts may be compromised.
Cloud Firewall uses Network Traffic Analysis (NTA) to provide the breach awareness feature. This feature can detect host intrusion events in a timely and efficient manner. Cloud Firewall uses a powerful threat intelligence network to identify the mining pool addresses of common cryptocurrencies and the common communication protocols of mining pools, and detect the downloads of mining trojans. In addition, Cloud Firewall can identify the mining behavior of hosts in real time and promptly generate alerts.
You can turn on Auto Blocking on the Breach Awareness page to enable Cloud Firewall to detect mining worms and block the communication between mining trojans and mining pools on the network. To turn on Auto Blocking, perform the following steps:
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose
.On the Breach Awareness page, find an event related to a mining program and click View Details in the Actions column.
You can view the address that initiated outbound connections in the details panel.
Log on to the server on which the mining program is detected, find the mining program, and then remove the program.
How do I use Cloud Firewall to immediately control the damages of mining worms?
If a host is compromised by mining worms, Cloud Firewall can use the following methods to prevent the spread of these worms and reduce economic and data loss. The methods are to block malicious file downloads, intercept the communication between command and control (C&C) servers and mining worms, and enable enhanced access control for critical business.
Block malicious file downloads
In most cases, after hosts are compromised by mining worms, the hosts download malicious files. Basic protection is integrated with malicious file detection and dynamically updates the unique characteristics codes and fuzzy hashes of malicious files that are used by common mining worms. After the mining worms intrude into your host, your host may further download updated malicious payloads. In this case, basic protection performs security checks on the files downloaded to your host. The checks include file restoration and characteristic matching. If an attempt to download a malicious file is detected, an alert is generated, and the download is blocked.
You can turn on Basic Policies on the IPS Configuration page to block malicious file downloads.
Intercept communication between C&C servers and mining worms
After C&C servers are compromised by mining worms, the C&C servers may receive malicious instructions from mining worms, or the sensitive data of the C&C servers may be leaked. In this case, basic protection intercepts the communication between the worms and C&C servers in real time by using the following methods:
Basic protection dynamically monitors and analyzes the data related to mining worms across the network and the communication traffic of the C&C servers. Then, basic protection dynamically extracts the characteristics of unusual communication traffic and forms a mechanism to identify the communication between the mining worms and C&C servers. This way, basic protection ensures the prompt detection of attacks.
Basic protection learns historical access information and establishes a model to detect unusual traffic and explore potential mining worm information.
Basic protection uses big data visualization to map access behavior to all IP addresses and uses machine learning to detect suspicious IP addresses and access domains. In addition, a threat intelligence library for C&C servers is formed based on network-wide attack data. This way, basic protection matches host communication traffic with the information in the library to block malicious traffic between C&C servers and mining worms.
You can turn on
in the Basic Protection section of the IPS Configuration page to intercept the communication between C&C servers and mining worms.Enable enhanced access control for critical business
To ensure critical business, enterprises may need to open services or ports to the Internet. However, Internet-based scans and attacks pose security threats to the assets of enterprises, which makes fine-grained control on external access challenging. Outbound connections that are initiated from an ECS instance, elastic IP address, or internal network are usually valid. In these scenarios, the number of domain names or IP addresses is controllable. Cloud Firewall implements outbound access control on these domain names and IP addresses to prevent mining trojans from being inserted into compromised ECS instances by using suspicious domain names and block communications between trojans and C&C servers.
Cloud Firewall allows you to configure access control policies for source IP addresses and domain names, including wildcard domain names. For critical business, you can configure fine-grained outbound access control policies. For example, you can open critical ports only to specific domain names or IP addresses. Fine-grained access control policies effectively prevent the downloads and spread of mining worms. The policies also prevent mining worms from surviving and eliciting malicious actions.
For example, a total of six IP addresses are used for outbound connections on an internal network, all NTP services are identified as Alibaba Cloud services, and the IP address of the DNS server is 8.8.8.8. In this case, you can configure policies to allow outbound connections only from the six IP addresses based on the security suggestions provided by Cloud Firewall. The policies prevent other outbound connections, such as malicious downloads and outbound C&C connections, without affecting normal business access.
To configure the policies, perform the following steps: In the left-side navigation pane of the Cloud Firewall console, choose
. On the Internet Border, click the Outbound tab. Then, configure policies to allow outbound connections that are initiated from the trusted IP addresses and deny outbound connections that are initiated from other IP addresses.
Mining worms spread on a large scale because of the persistence of common application vulnerabilities on the Internet, frequent occurrence of zero-day vulnerabilities, and highly efficient monetization of mining activities. Customers whose workload is deployed on the cloud can transparently access Cloud Firewall to protect their applications against various attacks on the Internet. Cloud Firewall relies on strong cloud computing power to perceive the latest attack threats and connects to a threat intelligence network to provide protection against mining worms. Cloud Firewall can also be scaled out as your business grows. This way, you can focus more on your business expansion.