Cloud Firewall defends against mining worms by detecting and blocking malicious traffic in real time. This document explains how to use Cloud Firewall and Security Center to protect your cloud environment through prevention, detection, and incident response.
Limitations
-
Cloud Firewall edition
Mining worm detection and defense is available only in the Premium, Enterprise, or Ultimate editions of Cloud Firewall. For more information, see Purchase Cloud Firewall.
-
Security Center edition
The features available in Security Center vary by edition. For more information, see Features.
How mining worms spread
The Alibaba Cloud security team's 2018 Cloud Cryptomining Analysis Report found that major waves of 0-day vulnerabilities are typically followed by rapid outbreaks of mining worms. These worms disrupt business by consuming system resources. Some, like XBash, are even bundled with ransomware, causing financial and data loss.
The Alibaba Cloud security team found that mining worms in the cloud spread primarily by exploiting the following vulnerabilities:
-
Exploitation of common vulnerabilities
Mining worms exploit common application vulnerabilities, such as misconfigurations and weak passwords. They also use brute-force attacks against services like SSH, RDP, and Telnet to scan for and infect new hosts.
-
Exploitation of 0-day and N-day vulnerabilities
Mining worms also exploit the gap between the discovery and patching of 0-day and N-day vulnerabilities, enabling rapid, large-scale infections.
Defense strategy
|
Phase |
Solution |
Actions |
|
Prevention |
Create access control policies in Cloud Firewall to allow only trusted traffic. |
Create an outbound access control policy to allow traffic to trusted public IP addresses and deny all other traffic. For more information, see Access control policies. |
|
Enable the Threat Engine in Cloud Firewall to block mining activities. |
||
|
Use the Intrusion Prevention feature of Cloud Firewall to detect and block attack traffic. |
||
|
Use the antivirus feature in Security Center to automatically block viruses, malicious connections, and webshells, preventing mining incidents on your ECS instances. |
||
|
Handle security alerts in Security Center to detect mining programs and communication with mining pools on your ECS instances. |
||
|
Detection and response |
Use the Breach Awareness feature of Cloud Firewall to quickly detect mining worms. |
On the Breach Detection page, you can identify specific events and the external addresses they connect to. For more information, see Use Cloud Firewall to detect mining worms. |
|
Use the Intrusion Prevention feature of Cloud Firewall for rapid threat containment. |
Enable Basic Protection in Cloud Firewall to block malicious file downloads. For more information, see How to use Cloud Firewall for rapid threat containment after an intrusion. |
|
|
Use Cloud Firewall access control policies to block cryptomining connections. |
Create an outbound access control policy to allow traffic to trusted public IP addresses and set the action for traffic to mining pool addresses to Deny. |
|
|
Follow Cloud Firewall best practices based on the ATT&CK framework. |
Cloud Firewall provides features such as basic rules, virtual patching, and threat intelligence that cover various risks in the ATT&CK framework. We recommend that you follow the Cloud Firewall best practices based on the ATT&CK framework to enhance your network security. |
|
|
Post-intrusion |
Use Security Center to trace the attack source of the mining virus. |
View attack source analysis results If no related communications are detected or alerts are generated within seven days, the mining virus or trojan has been removed. For more information about how to view query results, see Breach Awareness. |
Defending against mining worms with Cloud Firewall
Defense against common vulnerabilities
-
To defend against a brute-force attack, such as those targeting SSH and RDP, the Basic Protection feature of Cloud Firewall includes conventional brute-force attack detection. It calculates thresholds for login attempts and failures, and if an IP address exceeds the threshold, it is blocked. This feature uses behavioral models based on your access habits to block abnormal logins without interrupting legitimate access.
-
For common exploits, such as using Redis to write cron jobs or using database UDFs for command execution, the Basic Protection feature uses Alibaba Cloud's extensive attack sample library to create precise defense rules.
To enable Basic Protection and defend against common vulnerabilities, follow these steps:
-
Log on to the Cloud Firewall console.
-
In the left-side navigation pane, choose .
-
On the Internet Border tab, set Threat Engine Mode to Blocking Mode - Loose.
-
On the tab, turn on the Basic Protection switch.
-
In the left-side navigation pane, choose . On the IPS page, view detailed blocking logs in the list.
Defense against 0-day and N-day vulnerabilities
If popular 0-day and N-day vulnerabilities are not patched in time, the risk of infection by mining worms increases significantly. Cloud Firewall uses a network of deployed honeypots to analyze suspicious attack traffic and gathers vulnerability intelligence from the Alibaba Cloud Security Crowdsourcing Platform. This process enables the timely discovery of exploits, acquisition of PoCs, and creation of virtual patches, giving you a critical advantage against attackers.
You can enable virtual patching to defend against 0-day and N-day vulnerabilities. To do this, perform the following steps:
-
Log on to the Cloud Firewall console.
-
In the left-side navigation pane, choose .
-
On the Virtual Patching tab, turn on the Virtual Patching switch. You can then view and manage virtual patching rules in the list.
After you enable this feature, the top of the page displays rule statistics, such as the total number of rules, number of enabled/disabled rules, number of high-risk vulnerabilities, and number of currently blocked attacks, as well as the rule library version. You can filter rules by criteria such as Risk Level, Attack Type, Attack Target, Status, Supported Engine Mode, and Current Action. The rule list includes information such as Rule ID, Rule Name, CVE ID, Risk Level, Current Action, and Status.
Detecting mining worms with Cloud Firewall
Even with strong intrusion prevention measures at the public network border, systems can still become infected with mining worms. For example, a mining worm can spread from a development machine to the production network over a VPN, or a large-scale infection can occur if system or Docker images used for operations are pre-infected with a milking virus.
Cloud Firewall provides the Breach Detection feature, which is powered by Network Traffic Analysis (NTA), to promptly and effectively detect mining worm infections. Using its threat intelligence network, Cloud Firewall identifies mining pool addresses, detects mining trojan downloads, recognizes mining communication protocols, and issues real-time alerts for mining activity on your hosts.
You can use the Quick Blocking feature on the Breach Detection page to detect mining worms and block communication between mining trojans and mining pools at the network level. To enable auto-blocking, perform the following steps:
-
Log on to the Cloud Firewall console.
-
In the left-side navigation pane, choose .
-
On the Breach Detection page, locate a specific event in the list and click Details in the Actions column.
In the Event Details panel, you can view the external address that the mining program connects to.
-
Log on to the affected server, locate the mining process, and remove it.
Rapid threat containment
If a server is already infected with a mining worm, Cloud Firewall can help contain the threat and minimize business and data loss by blocking malicious file downloads, intercepting C&C communication, and strengthening access control for critical business zones.
-
Block malicious file downloads
After a host is infected by a mining worm, it often attempts to download additional malicious files. The Basic Protection feature of Cloud Firewall includes malicious file detection. It uses real-time updates of unique signatures and fuzzy hashes for common mining worms. If an infected host attempts to download new attack payloads, Cloud Firewall performs security checks, including file reconstruction and signature matching on the traffic. If it detects a malicious file download, it generates an alert and blocks the download.
You can enable the Basic Protection switch on the tab of the IPS Configuration page to block malicious file downloads.
-
Intercept C&C communication
After a host is infected, the mining worm may try to communicate with a Command and Control (C&C) server to receive further malicious commands or to exfiltrate sensitive data. The Basic Protection feature of Cloud Firewall intercepts this C&C communication in real time through the following methods:
-
It analyzes and monitors network-wide worm data and C&C server traffic to create signatures for abnormal traffic. It continuously monitors changes in C&C communication and extracts attack patterns to ensure timely detection.
-
It automatically learns from historical traffic data to build an abnormal traffic detection model, which helps discover potential unknown mining worms.
-
It uses big data visualization to profile IP access behavior across the network. It employs machine learning to identify anomalous IP addresses and access domains, correlates this data with network-wide attack information, and maintains a C&C threat intelligence library. This allows for real-time matching against server traffic to block malicious C&C connections.
You can enable the Basic Protection feature on the page to intercept C&C communication.
-
-
Enable strict access control for critical business zones
Critical services often need to be exposed to the internet, but scans and attacks from the internet pose a threat to your assets, making fine-grained external access control difficult. However, for outbound connections initiated from an ECS instance, an elastic IP address, or an internal network, the number of destination domains or IP addresses is usually controllable and limited to legitimate services. Implementing outbound domain or IP-based access control can prevent a compromised ECS host from planting mining trojans or communicating with C&C servers.
Cloud Firewall allows you to set access control rules based on destination domain names (including wildcard domains) and IP addresses. To protect critical business services, you can configure a strict Outbound access control policy. This policy allows your critical services to connect only to specific destination domains or IP addresses, while denying all other outbound connections. This approach effectively prevents the download and spread of mining worms and stops post-breach persistence and monetization activities.
For example, your internal network makes outbound connections to a total of six IP addresses, where NTP services are all identified as Alibaba Cloud products and the DNS server is a known address like 8.8.8.8. Following Cloud Firewall's security recommendations, you can create a policy to allow traffic to these six IP addresses and deny all other outbound connections. This configuration prevents malicious activities like malware downloads and C&C communication without affecting normal business operations.
On the Outbound tab of the page on the Cloud Firewall console, you can create an outbound access control policy to allow traffic to trusted public IP addresses and deny all other outbound traffic.
The massive spread of mining worms is driven by persistent application vulnerabilities, the frequent emergence of 0-day vulnerabilities, and the high efficiency of monetization through cryptomining. You can seamlessly integrate Cloud Firewall to protect your applications from a wide range of internet-based attacks. Using its extensive computing power and network-wide threat intelligence, it quickly detects new threats to protect you from mining worms. Cloud Firewall also scales elastically with your business, allowing you to focus on growth without worrying about security.