Cloud Firewall defends against mining programs by detecting and blocking malicious traffic in real time. This topic uses a cloud environment as an example to explain how to combine Alibaba Cloud Firewall and Security Center for comprehensive protection against mining programs. It covers prevention, detection, and immediate remediation.
Limitations
Cloud Firewall limits by edition
You must use Cloud Firewall Premium, Enterprise, or Ultimate Edition. Only these editions support the detection and defense of mining programs. The Free Edition does not. To detect or defend against mining programs, you must purchase Cloud Firewall Premium, Enterprise, or Ultimate Edition. For more information, see Purchase Cloud Firewall.
Security Center: Edition Limitations
The features of Security Center vary by edition. For more information, see Features.
Characteristics of mining programs
Mining programs can overclock the CPU, which consumes a large number of CPU resources and affects other applications that run on your server.
The characteristics of mining programs are similar to the characteristics of computer worms. After a mining program intrudes into your server, the mining program spreads to the servers that are deployed in the same internal network. After the servers are compromised, the mining program achieves persistence on the servers.
Mining programs spread to multiple system services and are difficult to remove from the system. Mining programs may repeatedly appear, and system commands may be replaced with malicious scripts. As a result, the system may run malicious scripts such as XOR DDoS. You must remove all trojans and persistent webshells from your server within the execution period of mining programs. This way, mining programs are prevented from appearing in the future.
How mining worms spread
The 2018 Cloud Mining Analysis Report from the Alibaba Cloud security team shows that over the past year, every wave of popular 0-day vulnerabilities was followed by an explosive spread of mining worms. Mining worms can cause service interruptions by consuming system resources. Some mining worms, such as XBash, are also bundled with ransomware, which can lead to financial and data losses for businesses.
The Alibaba Cloud security team found that mining worms on the cloud primarily spread using the following common vulnerabilities:
Exploiting common vulnerabilities
Over the past year, mining worms have commonly exploited widespread vulnerabilities in network applications. These include configuration errors, weak passwords, and brute-force attacks against Secure Shell (SSH), Remote Desktop Protocol (RDP), and Telnet. The worms continuously scan the internet and attack hosts to infect them.
Exploiting 0-day and N-day vulnerabilities
Mining worms also exploit the window of opportunity before 0-day and N-day vulnerabilities are patched, which allows for rapid, large-scale infections.
Defense solutions for mining worms
Protection phase | Defense solution | Related operations |
Preparation | Use the access control feature of Cloud Firewall to create access control policies that allow only trusted traffic. | Create outbound access control policies to allow trusted public IP addresses and deny all other IP addresses. For more information, see Access control policies. |
Enable the threat engine in Cloud Firewall to promptly block mining behavior. | ||
Use the intrusion prevention feature of Cloud Firewall to effectively detect and block attack traffic. | ||
Use the proactive defense feature of Security Center to automatically block common viruses, malicious network connections, and web shell connections. This helps suppress mining events on ECS instances. | ||
Use the security alert handling feature of Security Center to check for running mining programs or communication with miner pools on ECS instances. | ||
Execution phase | Use the breach awareness feature of Cloud Firewall to quickly detect mining programs. | On the Breach Detection page, you can locate specific events and outbound addresses in the list. For more information, see Use Cloud Firewall to detect mining worms. |
Use the intrusion prevention feature of Cloud Firewall for immediate remediation. | Turn on the Basic Protection switch to block malicious file downloads. For more information, see How to use Cloud Firewall for immediate remediation after an intrusion. | |
Use Cloud Firewall access control policies to block mining connections. | Create an outbound access control policy to allow trusted public IP addresses and set access to miner pool addresses to Deny. | |
Use Cloud Firewall ATT&CK best practices. | Cloud Firewall provides features such as basic policies, virtual patches, and threat intelligence that cover various risks in the ATT&CK framework. For more information, see Cloud Firewall best practices based on ATT&CK to strengthen your network security. | |
Post-remediation phase | Use Security Center to trace the source of attacks from mining programs. | View attack source analysis results If no mining communications or alerts appear within 7 days, the mining program or trojan has been successfully removed. For more information about query results, see Breach awareness. |
Use Cloud Firewall to defend against mining worms
Defense against common vulnerabilities
For brute-force attacks from mining programs, such as attacks on SSH and RDP, the Basic Protection feature of Cloud Firewall uses standard detection methods. For example, it calculates thresholds for logon or trial-and-error frequency and restricts IP addresses that exceed these thresholds. This feature uses your access habits, access frequency, and behavior models to ensure that normal access is not blocked while abnormal logons are restricted.
For common exploits, such as writing Crontab commands to Redis or using database user-defined functions (UDFs) for command execution, the Basic Protection feature leverages Alibaba Cloud's big data capabilities. It creates precise defense rules based on the large number of malicious attack samples collected by the Alibaba Cloud security team.
To enable the Basic Protection feature of Cloud Firewall and defend against common vulnerabilities, perform the following steps:
Log on to the Cloud Firewall console.
In the navigation pane on the left, choose .
On the Internet Border tab, set Threat Engine Mode to Blocking Mode - Loose.
On the tab, turn on the Basic Protection feature.
In the navigation pane on the left, choose . On the IPS page, you can view detailed block logs in the data list.
Defense against 0-day and N-day vulnerabilities
Unpatched 0-day and N-day vulnerabilities pose a high risk of being exploited by mining programs. Cloud Firewall uses honeypots deployed across the network to analyze unusual attack traffic. It also obtains vulnerability intelligence from the Alibaba Cloud Threat Intelligence Platform. This allows Cloud Firewall to promptly discover 0-day and N-day vulnerabilities, obtain their proofs of concept (PoCs) or exploits, and create virtual patches. This provides a time advantage in defending against attacks.
To enable the virtual patching feature of Cloud Firewall and defend against 0-day and N-day vulnerabilities, perform the following steps:
Log on to the Cloud Firewall console.
In the navigation pane on the left, choose .
On the Virtual Patching tab, turn on the Virtual Patching feature. You can then view or manage the virtual patching rules in the list.
Use Cloud Firewall to detect mining worms
Even with intrusion prevention measures at the public network border, your assets can still be infected by mining programs. For example, mining programs can spread directly from a development machine to the production network over a VPN. If OS images or Docker images used for operations and maintenance (O&M) are already infected with a mining virus, a large-scale outbreak can occur.
Cloud Firewall provides the Breach Detection feature, which is powered by Network Traffic Analysis (NTA). This feature can promptly and effectively discover mining program infection events. Using a powerful threat intelligence network on the cloud, Cloud Firewall can identify the miner pool addresses of common cryptocurrencies, detect mining trojan downloads, and identify common miner pool communication protocols. It recognizes host mining behavior in real time and sends alerts promptly.
You can enable Quick Blocking in the Breach Detection feature of Cloud Firewall to detect mining programs. This feature also blocks communication between mining trojans and miner pools at the network level. To enable one-click intrusion detection defense in Cloud Firewall, perform the following steps:
Log on to the Cloud Firewall console.
In the navigation pane on the left, choose .
On the Breach Detection page, locate a specific event in the list and click Details in the Actions column.
In the Event Details panel, you can view the outbound address of the mining program.
Log on to the server where the mining program was detected. Then, locate the mining process and remove it.
How to use Cloud Firewall for immediate remediation after an intrusion
If a server is infected with a mining program, Cloud Firewall can control its spread and reduce business and data losses in three ways: blocking malicious file downloads, intercepting command and control communications, and strengthening access control for key business areas.
Block malicious file downloads
Servers infected with mining programs often download additional malicious files. The Cloud Firewall Basic Protection feature includes a malicious file detection capability. It provides real-time updates of unique signatures and fuzzy file hashes for various malicious files from common mining programs. When a mining program successfully intrudes and attempts to download updated attack payloads, Cloud Firewall performs security checks on the files being downloaded. These checks include file restoration and signature matching within the traffic. If an attempt to download a malicious file is detected, an alert is generated and the download is blocked.
On the tab of the IPS Configuration page, you can turn on the Basic Protection switch to block malicious file downloads.
Intercept command and control communications
After a mining program infection, the program may communicate with a command and control (C&C) server to receive further malicious instructions or to exfiltrate sensitive data. The Basic Protection feature of Cloud Firewall intercepts this behavior in real time in the following ways:
It analyzes and monitors network-wide program data and C&C server communication traffic to characterize unusual communication traffic and create C&C communication detection signatures. By continuously monitoring changes in C&C communications and extracting attack signatures, it ensures the timely detection of attack behavior.
It automatically learns from historical traffic access information to build unusual traffic detection models and uncover information about potential unknown mining programs.
It uses big data visualization technology to profile IP access behavior across the entire network. It also uses machine learning to discover unusual IP addresses and access domains. It then correlates this information with network-wide attack data to create a C&C threat intelligence library. This allows it to match server traffic against the intelligence and block malicious C&C connections in real time.
You can turn on the feature of Cloud Firewall to intercept C&C communications.
Enable strong access control for key business areas
Key business services often require open services or ports to the internet. However, scans and attacks from the internet pose a threat to a company's assets, and it can be difficult to implement fine-grained control over external access. For outbound connections initiated from an ECS instance, an EIP, or an internal network, the number of destination domain names or IP addresses is typically controllable. This is because these outbound connections are usually for legitimate access. Therefore, using outbound domain name or IP access control, you can effectively prevent a compromised ECS host from implanting mining trojans through malicious domain names or communicating with C&C servers.
Cloud Firewall supports setting access control rules for destination domain names, including wildcard domain names, and IP addresses. For the security of key business areas, you can configure a strong, granular Outbound access control policy. This policy ensures that important business ports only allow access to specific domain names or IP addresses, while all other access is denied. This action can effectively prevent the download and external spread of mining programs and stop their persistence and monetization after an intrusion.
For example, if an internal network has a total of six IP addresses for outbound access, where all Network Time Protocol (NTP) services are identified as Alibaba Cloud products and the Domain Name System (DNS) is the well-known 8.8.8.8, you can follow Cloud Firewall's security recommendations to allow these six IP addresses and deny all other IP access. This configuration prevents other outbound connection behaviors, such as malicious downloads and C&C communications, without affecting normal business access.
On the Outbound tab of the page in the Cloud Firewall console, you can create an outbound access control policy that allows trusted public IP addresses and denies all other IP access.
Mining programs are spreading on a large scale because of persistent common application vulnerabilities on the internet, the frequent emergence of 0-day vulnerabilities, and the high efficiency of mining monetization. Cloud customers can transparently connect to Cloud Firewall to protect their applications from various malicious attacks on the internet. Relying on massive cloud computing capabilities, Cloud Firewall can detect the latest attack threats faster and leverage network-wide threat intelligence to protect users from mining program threats. Cloud Firewall can scale elastically with your business, allowing you to focus on business expansion without dedicating extra resources to security.