This topic uses an off-premises environment as an example to explain how Alibaba Cloud Cloud Firewall defends against mining worms through early prevention, detection, and damage control.

According to the 2018 Cryptocurrency Mining Hijacker Report released by the Alibaba Cloud security team, each round of popular zero-day attacks was accompanied by outbreaks of mining worms. Mining worms interrupt businesses by occupying system resources and can even carry ransomware, such as XBash. Mining worms can lead to financial and data losses for infected enterprises.

How mining worms spread?

The Alibaba Cloud security team has observed that mining worms spread by exploiting common vulnerabilities on the network and popular zero-day or N-day vulnerabilities.

  • Exploit common vulnerabilities

    In the past year, mining worms exploited common vulnerabilities such as configuration errors and weak passwords in network applications to continuously scan the Internet, launch attacks, and compromise hosts.

    The following table lists common vulnerabilities that have been recently exploited by active mining worms.
    Common vulnerability Mining worm family
    Brute-force attack against SSH, RDP, and Telnet MyKings and RDPMiner
    Write data to Crontab in Redis to run commands DDG, Watchdogs, Kworkerd, and 8220 mining group
    Use UDF to run commands in MySQL and SQL Server Bulehero, MyKings, and ProtonMiner
    Run commands in Apache CouchDB 8220 mining group
  • Exploit zero-day and N-day vulnerabilities

    Mining worms also exploit zero-day and N-day vulnerabilities to compromise large numbers of hosts before the vulnerabilities are fixed.

    The following table lists popular zero-day and N-day vulnerabilities that have been recently exploited by active mining worms.
    Vulnerability Mining worm family

    Arbitrary code execution vulnerability in ThinkPHP V5 series

    Arbitrary code execution vulnerability in Apache ActiveMQ (CVE-2015-5254)

    iBus
    Remote command execution vulnerability in Confluence (CVE-2019-3396) Watchdogs (ksoftirqds and kerberods)

    Remote code execution vulnerability in Nexus Repository Manager 3 (CVE-2019-7238)

    Arbitrary code execution vulnerability in ThinkPHP V5 series

    Watchdogs

    WebLogic (CVE-2017-10271)

    Remote code execution vulnerability in Drupal (CVE-2018-7600)

    Deserialization command execution vulnerability in JBoss 5.x and JBoss 6.x (CVE-2017-12149)

    8220 mining group
    MS17-010 EternalBlue (CVE-2017-0143) MyKings

    Arbitrary code execution vulnerability in ThinkPHP V5 series

    Remote code execution vulnerability in Tomcat (CVE-2017-12615)

    Deserialization vulnerability in the WLS Security component of WebLogic (CVE-2017-10271)

    Bulehero
    MS17-010 EternalBlue (CVE-2017-0143) WannaMine
    Arbitrary code execution vulnerability in ThinkPHP V5 series Sefa

    Unauthorized access vulnerability in Hadoop YARN

    Remote code execution vulnerability in Drupal (CVE-2018-7600)

    Command execution vulnerability in Elasticsearch (CVE-2014-3120)

    Deserialization vulnerability in the WLS Security component of WebLogic (CVE-2017-10271)

    ProtonMiner

    Remote code execution vulnerability in Tomcat (CVE-2017-12615)

    Deserialization command execution vulnerability in JBoss 5.x and JBoss 6.x (CVE-2017-12149)

    Deserialization vulnerability in the WLS Security component of WebLogic (CVE-2017-10271)

    Satan

How does Cloud Firewall defend against mining worms?

Cloud Firewall of Alibaba Cloud is the first SaaS-based firewall product in the industry to defend against these two types of vulnerabilities in the public cloud environment. It can detect and block malicious traffic going in or out of the off-premises environment in real time, allowing enterprises to transparently access applications.

  • Protect against common vulnerabilities

    Cloud Firewall Basic Protection supports conventional brute-force attack detection methods based on the ways mining worms brute-force attack protocols such as SSH and RDP. For example, it can count the logon or trial-and-error frequency thresholds and block the IP addresses that exceed the trial-and-error threshold. In addition, it can block unusual logons based on your access habits and frequencies in combination with behavior models, while ensuring unobstructed normal access.

    For some common vulnerabilities such as writing data to Crontab in Redis to run commands and using UDF to run commands in databases, Cloud Firewall Basic Protection takes advantage of Alibaba Cloud big data to create precise defense rules from the malicious attack samples accumulated by the Alibaba Cloud security team in off-premises defense.

    You can defend against common vulnerabilities by enabling the basic protection feature.

    Enable the basic protection feature
    1. Log on to the Cloud Firewall console.
    2. In the left-side navigation pane, choose Security Policies > Intrusion Prevention. The Intrusion Prevention page appears.
    3. Turn on Basic Policies and Threat Intelligence.
    4. In the left-side navigation pane, click Traffic Analysis. On the Traffic Analysis page that appears, click the IPS Analysis tab to view detailed interception logs.IPS Analysis
  • Protect against zero-day and N-day vulnerabilities

    Popular zero-day and N-day vulnerabilities cannot be fixed promptly and put hosts at high risk to being compromised by mining worms. Cloud Firewall analyzes attack traffic by using honeypots deployed across the network and sharing vulnerability intelligence with Alibaba Cloud Crowdsourced Security Testing Platform. This way, Cloud Firewall can promptly detect zero-day and N-day exploits, obtain the proofs of concept (POCs) and exploits of these vulnerabilities, and generate virtual patches in advance.

    You can defend against zero-day and N-day vulnerabilities by enabling virtual patches.

    Enable the virtual patches feature
    1. Log on to the Cloud Firewall console.
    2. In the left-side navigation pane, choose Security Policies > Intrusion Prevention. The Intrusion Prevention page appears.
    3. Turn on Patches of the Virtual Patches.
    4. Click Customize on the lower right of the Virtual Patches section. In the Customize Virtual Patches Policies dialog box that appears, you can view and manage the virtual patches that are enabled.Customize Virtual Patches Policies

How does Cloud Firewall detect mining worms?

Check principle

Even if the public network boundaries are well protected against intrusion, hosts may still be vulnerable to mining worms. For example, mining worms can be directly transmitted from a development machine to the production network over a VPN. Large-scale host intrusion can be caused when system images and Docker images are implanted with mining viruses and then used for O&M.

With the Intrusion Detection feature provided by Network Traffic Analysis (NTA), Cloud Firewall can effectively detect host intrusion events.

Cloud Firewall utilizes a powerful threat intelligence network to discover the mining pool addresses of common cryptocurrencies, the download behaviors of mining trojans, and the common communication protocols of mining pools. Additionally, it can identify and alert against the mining behaviors of hosts in real time.

You can detect mining worms and block the communication between mining trojans and mining pools on the network by turning on Auto Blocking on the Intrusion Detection page.

Enable the Auto Blocking feature
  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, click Traffic Analysis. On the Traffic Analysis page that appears, click the Intrusion Detection tab.
  3. Click View View Details in the Actions column corresponding to an event. On the Details page that appears, turn on Auto Blocking in the Block section.Details

    You can locate the corresponding process on the host and perform a cleanup based on the external address displayed on the Details page.

How to use Cloud Firewall to perform damage control immediately for compromised servers?

If a server is compromised by mining worms, Cloud Firewall can further control the spread of these worms and reduce losses by blocking downloads of malicious files, intercepting the communication between command and control (C&C) servers and mining worms, and enabling enhanced access control in key business areas.

  • Block downloads of malicious files

    Cloud Firewall Basic Protection updates the unique feature codes and fuzzy hashes of various mining worm-related files in real time. When mining worms compromise a server and further download new attack loads, Basic Protection restores the files downloaded to the server and matches them with features in the traffic, triggers alarms when the server attempts to download a malicious file, and blocks the download.

    Blocking downloads of malicious files is one of the important functions of Basic Protection. Usually, a server will download malicious files after being compromised by mining worms. With its malicious file detection capability, Basic Protection can detect the security of files downloaded to the server in the traffic, trigger alarms when the server attempts to download a malicious file, and block the download.

    BasicProtection

    You can block downloads of malicious files by turning on Basic Policies on the Intrusion Prevention page.

  • Intercept communication between C&C servers and mining worms
    When mining worms compromise a server, they may communicate with the C&C server and receive further malicious behavior instructions or leak sensitive data. In such cases, Cloud Firewall Basic Protection intercepts communication in real time as follows:
    • Basic Protection characterizes the unusual communication traffic to identify the features of communication between C&C servers and mining worms by analyzing and monitoring the network-wide worm data and the communication traffic of C&C servers. Through real-time monitoring of changes in communication between C&C servers and mining worms, Basic Protection constantly extracts attack features to ensure timely detection of attack behaviors.
    • Basic Protection establishes an unusual traffic detection model to mine potential mining worm information by automatically learning historical traffic access information.
    • Basic Protection forms a library of C&C server threat intelligence by mapping the access behaviors of IP addresses across the network using big data visualization technology, discovering suspicious IP addresses and access domains using machine learning, and linking network-wide attack data. This allows intelligence matching for server traffic communication and blocks malicious communication between C&C servers and mining worms.
    The following figure shows the communication interception records between C&C servers and mining worms through Basic Protection and Threat Intelligence.
    Basic Protection and Threat Intelligence

    You can intercept the communication between C&C servers and mining worms by turning on Basic Policies on the Intrusion Prevention page.

  • Enable enhanced access control in key business areas

    To meet business needs, enterprises usually need to keep key businesses or ports open to the entire public network. However, swarms on the Internet constantly scan and attack assets of enterprises, which can make fine-grained external access control challenging. When an ECS instance, EIP, or internal network accesses the public network such as DNS and NTP services, the number of domain names and IP addresses is controllable because such outbound access is usually legal. Some enterprises only need a few specific IP addresses or domain names. By controlling domain names or IP addresses for outbound access, enterprises can prevent compromised ECS instances from downloading mining trojans from suspicious domains and block the communication between trojans and C&C servers.

    Cloud Firewall supports access control by configuring domain names (including wildcard domain names) and IP addresses. For key businesses, enterprises can configure fine-grained Outbound Policies to make the key ports open only to specific domain names or IP addresses. Configuring the policies can effectively prevent the download and spread of mining worms as well as prevent mining worms from surviving and continuing malicious actions.

    Assume that the internal network uses a total of six IP addresses for external access, all NTP services are identified as Alibaba Cloud services, and the DNS server address is 8.8.8.8. In this scenario, enterprises can allow the access requests from the preceding six IP addresses and reject the access requests from all other IP addresses based on the security recommendations of Cloud Firewall. The preceding configuration prevents malicious downloads and outbound C&C connections, without affecting normal business access.

    In the left-side navigation pane, choose Security Policies > Access Control. On the Access Control page that appears, click the Internet Firewall tab. You can allow the access requests from the authorized IP addresses and reject the access requests from all other IP addresses by setting Outbound Policies.

Mining worms spread on a large scale because of the persistence of common application vulnerabilities on the Internet, frequent zero-day vulnerabilities, and the highly efficient monetization of mining activities. Off-premises users can transparently access Cloud Firewall to protect their applications against various attacks on the Internet. Relying on its massive off-premises computing power, Cloud Firewall can perceive the latest attack threats and connect to a threat intelligence network to provide you with optimal security protection from the threat of mining worms. Additionally, Cloud Firewall can be scaled as your business grows so that you can pay more attention to business expansion without the need to devote a great deal of time to security.