Skip to main content

Potential Cryptomining Attack on Host

This alert occurs when Lacework detects unauthorized cryptocurrency mining on your host.

Why this Alert is Important

Crypto-mining attack presents a unique set of cybersecurity challenges and may also indicate poor overall cybersecurity.

Investigation

The following are characteristics of a cryptomining attack:

  • Cryptomining attacks usually take control of servers because they are left on indefinitely.
  • Cryptomining can affect server performance.
  • Malicious cryptomining is usually injected by taking advantage of exploits. In many cases, cryptomining uses the EternalBlue exploit that was used by WannaCry malware.

Resolution

Implement the following best practices to lower your risk of cryptomining:

  • Always monitor network activity to identify any unusual activity, as compromised systems often reach out to the broader pool it belongs.
  • Leverage anti-phishing solutions that help protect credentials and malicious file downloads.
  • Activate intelligent website blocklisting to block known bad websites.
  • Make sure all systems are patched regularly and thoroughly to remediate known vulnerabilities and entry points.
  • Update malware defense strategy as well; never use outdated anti-malware or EDR solutions.
  • Go beyond intrusion detection to protect servers with runtime memory protection for critical applications and server workloads, ensure a defense against actors who already have a grip on your server.