Cloud Firewall protects your cloud environment from mining worms by detecting and blocking malicious traffic in real time. This topic describes how to use Cloud Firewall and Security Center together for a comprehensive defense strategy that covers prevention, detection, and response.
Limitations
Cloud Firewall edition requirements
The features described in this topic are available only in the Premium, Enterprise, and Ultimate editions of Cloud Firewall. The Free edition does not support mining worm detection or prevention. For more information, see Purchase Cloud Firewall.
Security Center edition requirements
The features available in Security Center vary by edition. For more information, see Features.
How mining worms spread
According to the 2018 Cloud Cryptojacking Analysis Report by the Alibaba Cloud security team, every major wave of zero-day vulnerabilities in the past year has been followed by an explosive spread of mining worms. These worms can cause service disruptions by consuming system resources. Some, like XBash, are even bundled with ransomware, leading to financial and data losses for businesses.
The Alibaba Cloud security team has found that mining worms in the cloud primarily spread by exploiting the following common vulnerabilities:
Exploitation of common vulnerabilities
Mining worms frequently exploit widespread vulnerabilities in web applications, such as misconfigurations, weak passwords, and brute-force attacks on SSH, RDP, and Telnet. They continuously scan the internet and launch attacks to infect hosts.
Exploitation of zero-day and N-day vulnerabilities
Mining worms also take advantage of the window of opportunity before zero-day and N-day vulnerabilities are patched, allowing for rapid, large-scale infections.
Mining worm defense strategy
Phase | Defense method | Related actions |
Pre-incident | Use Cloud Firewall's access control feature to create a policy that allows only trusted traffic. | Create an outbound access control policy to allow traffic to trusted public IP addresses and deny all other outbound traffic. For more information, see Access control policies. |
Enable the threat engine in Cloud Firewall to promptly block mining activities. | ||
Use the intrusion prevention feature of Cloud Firewall to detect and intercept attack traffic. | ||
Use the proactive defense feature of Security Center to automatically block common viruses, malicious network connections, and webshell connections to prevent mining incidents on ECS instances. | ||
Use the alert handling feature of Security Center to detect mining programs and mining pool communication activities on your ECS instances. | ||
During incident | Use the Breach Awareness feature of Cloud Firewall to quickly detect mining worms. | On the Breach Detection page, you can identify specific events and outbound connection addresses. For more information, see Use Cloud Firewall to detect mining worms. |
Use the intrusion prevention feature of Cloud Firewall for rapid containment. | Enable the Basic Protection switch to block malicious file downloads. For more information, see Contain threats with Cloud Firewall after a breach. | |
Use a Cloud Firewall access control policy to block mining connections. | Create an outbound access control policy that allows connections to trusted IP addresses and sets the action to Deny for connections to mining pool addresses. | |
Implement Cloud Firewall best practices based on ATT&CK. | Cloud Firewall provides features such as basic rules, virtual patching, and threat intelligence to address various risks across the ATT&CK framework. We recommend that you harden your network security by following the Cloud Firewall best practices based on ATT&CK. | |
Post-incident | Use Security Center to perform attack source tracing for mining viruses. | View attack source analysis results If no breach awareness events or alerts related to mining communications are reported for seven days, the mining virus or trojan has been successfully removed. To check the results, see Breach Awareness. |
Mining worm defense with Cloud Firewall
Defense against common vulnerabilities
To counter brute-force attacks such as those targeting SSH and RDP, the Basic Protection feature of Cloud Firewall uses standard detection methods. It calculates thresholds for login attempts or errors and restricts IP addresses that exceed these thresholds. By combining this with behavioral models based on your typical access patterns, it blocks abnormal login attempts without interrupting legitimate access.
For common exploit techniques, such as using Redis to write cron jobs or using database UDFs for command execution, basic protection leverages Alibaba Cloud's big data capabilities. It uses a vast collection of malicious attack samples gathered from real-world cloud attack and defense scenarios to create precise protection rules.
You can enable Basic Protection in Cloud Firewall to defend against common vulnerabilities. Follow these steps:
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
On the Internet Border tab, select Blocking Mode - Loose for Threat Engine Mode.
On the tab, turn on the Basic Protection switch.
In the left-side navigation pane, choose . On the IPS page, view the detailed block logs.
Defense against zero-day and N-day vulnerabilities
Popular zero-day and N-day vulnerabilities pose a high risk of being exploited by mining worms if not patched promptly. Cloud Firewall uses network-wide honeypots to analyze abnormal attack traffic and gathers vulnerability intelligence from the Alibaba Cloud Security Response Center. This allows for the timely discovery of vulnerabilities, acquisition of PoCs or exploits, and creation of virtual patches, giving you a critical time advantage in defending against attackers.
You can enable virtual patching in Cloud Firewall to defend against zero-day and N-day vulnerabilities. Follow these steps:
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
On the Virtual Patching tab, turn on the Virtual Patching switch. You can view and manage virtual patching rules in the list.
Mining worm detection with Cloud Firewall
Even with strong intrusion prevention measures at your network perimeter, hosts can still become infected with mining worms. For example, a worm can spread from a development machine to the production network over a VPN, or infections can break out on a large scale if system or Docker images used for operations have been pre-infected with a mining virus.
Cloud Firewall provides the Breach Detection feature, powered by Network Traffic Analysis (NTA), to promptly and effectively detect mining worm infections. By leveraging a powerful cloud-based threat intelligence network, Cloud Firewall can identify addresses of known cryptocurrency mining pools, detect downloads of mining trojans, and recognize common mining communication protocols. This enables Cloud Firewall to identify and alert on host mining activities in real time.
You can enable the Quick Blocking feature on the Breach Detection page to detect mining worms and block communication between mining trojans and mining pools at the network level. Follow these steps to enable automatic blocking:
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
On the Breach Detection page, locate the specific event in the list and click Details in the Actions column.
In the Event Details panel, you can view the outbound addresses that the mining program is attempting to contact.
Log on to the server where the mining program was detected to locate and remove the mining process.
Threat containment with Cloud Firewall
If a server is already infected with a mining worm, Cloud Firewall can help contain its spread and minimize business and data loss by blocking malicious file downloads, intercepting C&C communication, and enforcing stricter access control for critical services.
Block malicious file downloads
After a server is infected, a mining worm often attempts to download additional malicious files. The Basic Protection feature of Cloud Firewall includes malicious file detection capabilities. It is continuously updated with unique signatures and fuzzy hashes of files associated with common mining worms. If a worm attempts to download additional payloads after a successful breach, Cloud Firewall inspects the traffic, reconstructs the files, and matches them against its signatures. When a malicious file download is detected, it is blocked and an alert is generated.
You can go to the tab on the IPS Configuration page and turn on the Basic Protection switch to block malicious file downloads.
Intercept C&C communication
An infected host may try to communicate with a Command and Control (C&C) server to receive further instructions or exfiltrate sensitive data. Cloud Firewall's Basic Protection feature intercepts this C&C communication in real time using the following methods:
It analyzes and monitors worm data and C&C traffic from across the entire network to identify the characteristics of abnormal communication. These characteristics are used to create detection rules. By continuously monitoring changes in C&C communication, the system constantly extracts new attack patterns to ensure timely detection.
It automatically learns from historical traffic data to build abnormal traffic detection models, which helps uncover previously unknown mining worms.
It uses big data visualization to profile IP access behavior and machine learning to discover anomalous IP addresses and domains. This data is correlated with network-wide attack data to build a C&C threat intelligence database. This database enables real-time matching against server traffic to block malicious C&C connections.
You can enable the Basic Protection feature on the tab to intercept C&C communication.
Enforce strict access control for critical business zones
Critical business services often need to be exposed to the internet, but scans and attacks from the internet pose a constant threat. While it is difficult to apply fine-grained controls on inbound traffic from the entire internet, outbound connections from a specific ECS instance, EIP, or internal network are usually more predictable and limited to legitimate destinations. By implementing strict outbound domain or IP-based access control, you can prevent a compromised ECS host from planting mining trojans via malicious domains or to communicate with C&C servers.
Cloud Firewall allows you to set access control rules based on source domains (including wildcard domains) and IP addresses. For critical services, you can configure a strict Outbound access control policy that allows access only to specific domains or IP addresses for essential business ports, while denying all other connections. This practice effectively stops mining worms from downloading payloads, spreading to other systems, and maintaining persistence for profit.
For example, if an internal network has six authorized IP addresses for outbound connections, including NTP servers identified as Alibaba Cloud products and a known DNS server like 8.8.8.8, you can create a policy to explicitly allow traffic to these six IP addresses and deny all other outbound connections. This configuration prevents malicious activities like unauthorized downloads and C&C communication without affecting normal business operations.
On the Cloud Firewall console, navigate to the page and click the Outbound tab. There, you can create an outbound access control policy to allow traffic to trusted public IP addresses and deny all other traffic.
The persistent presence of common application vulnerabilities, the frequent emergence of zero-day vulnerabilities, and the high profitability of cryptojacking have led to the widespread proliferation of mining worms. You can seamlessly integrate Cloud Firewall to protect your applications from a wide range of internet-based attacks. Backed by massive cloud computing power, Cloud Firewall quickly detects the latest threats and uses network-wide threat intelligence to protect you from mining worms. Cloud Firewall also scales elastically with your business, so you can focus on growth instead of dedicating resources to security management.