Protecting Resources by Thwarting Cryptomining Malware

Threat

Modern IT-environments should follow industry best practices and consistently apply updates to running software in order to manage the threat exposure and vulnerabilities. This can be done via regular software update systems or using a client’s own application for CI/CD implementations.

However, this can make commercial and open-source software providers a high-effort, but also high-volume, high-reward targets for attackers. By compromising the supply chain of such providers and injecting malicious code into the otherwise legitimate software, attackers quickly gain foothold in the companies that use and trust the affected software. While the purpose of such compromises can be governmental or Industry espionage, it can also be used to take over your resources for the sake of commercial gains.

Scenario

A company can perform GitHub updates of commonly used open-source software without suspecting that an attacker had successfully injected malicious code into the legitimate software. When the compromised software is deployed cross the client’s cloud environment. there may be no apparent signs of a successful attack except all hosts running the software experienced an increase in CPU utilization.

While there can be a many legitimate reasons for increased CPU utilization, in this example, the company’s assets were being used by the attacker to perform cryptojacking (unauthorized illegal cryptomining) of the privacy-focused currency Monero.

Consequences Avoided

While the company’s systems and other security controls in place may not be able to discover this compromise, CTS-AI can swiftly identify suspicious activity including combinations of not seen before cyclic behavior and connections to rare top level domains (TLD). CTS-AI self-learning behavioral capabilities can detect when compromised systems performed regular check-ins to their Command-and-Control (C2) servers seeking further instructions from the attacker.

The result is instant cost-saving by detecting and enabling the CTS-AI client to efficiently respond to the running Cryptomining software and to return resource utilization to normal levels. CTS-AI also plays a key role in prohibiting attackers from pivoting to other exploits of the compromised systems. It prevents them from establishing a beach head to move laterally within the client environment to compromise additional systems or to create a staging environment for attacking other systems on the internet.