Detect Cryptojacking with QRadar

Sean Cullen
Oct 23, 2018 · 5 min read
Image for post
Image for post
Spot and Stop Cryptojackers with QRadar SIEM

According to various sources such as the Financial Times, Dark Reading, Business Insider and X-Force Threat Intelligence, cryptojacking has had a huge increase in the first 6 months of 2018, a reported increase of 629% compared with the previous 2017 quarter.

There is evidence to suggest Cryptojackers are moving away from the traditional way of doing this – installing cryptomining as a hidden background process, and instead trying to compromise popular sites with cryptomining malware – thus generating huge amounts of hash power.

“Cryptojacking involves hijacking the processing power of unsuspecting internet browsers in order to create — or “mine” — cryptocurrencies, typically an energy-intensive process.”

With QRadar, we can easily detect these types of activities through a downloadable content extension and threat intelligence feeds from XForce Exchange, thus improving existing rules within a customer’s deployment (referencing Cryptomining IP’s / domains).

Image for post
Image for post
Subscribing to TAXII feeds for Cryptomining in X-Force Exchange.

At the 60th Jubilee of IBM Hursley we demo’ed “Spot and Stop Cryptojackers” at the annual Festival of Innovation. It was an opportunity to showcase the power of QRadar, but also see the breadth of IBM’s technology. The vast array of technology intrigued me, particularly use cases for areas such as Artificial Intelligence, Machine Learning, Data Analytics, IoT, Cloud and Security.

In our demo, we explore how IBM’s QRadar can spot and stop cryptojacking in cloud computing offerings such as Amazon Web Services (AWS). QRadar is industry-leading Security Information Event and Management (SIEM) software, which provide log and flow aggregation, vulnerability and risk assessment, with out of the box “rules” for detecting behavioural and threshold related anomalies.

Image for post
Image for post
Fig 1.0 Exploiting AWS Credentials, Creating a crypto mining “farm”

Above, is the workflow of how an attack might play-out. Let’s take a classic phishing email for example;

(1) Attacker phishes user with convincing email with the purpose of obtaining AWS credentials.

(3) Attacker creates cloud based mining rig, spawning hundreds of EC2’s to execute mining scripts, or load browsers which are accessing a compromised site.

(4) Cryptomining hashes sent to an intermediary such as CoinHive who validate the transactions and transfers into an anonymous wallet.

(5) Attacker moves funds into anonymous wallet and withdraws to fiat currency via exchange.

Let’s look at how QRadar can detect this type of activity at each stage.

Stage 1–2 – QRadar has in-built rules which can detect of logins from non-business geographies or multiple logins attempts using the same credential set. In this case, we have at least 2 successful logins using the Console Login (AWS’s main account) from the UK & Russia.

Image for post
Image for post
Fig 1.1 QRadar Offense triggered for multipe successful logins from the same username from two different geographies containing Console Login (AWS).

Stage 2–3 – Credentials compromised by an attacker, subsequent EC2 instances are then spawned in AWS. QRadar can detect the creation of the EC2 instances, and also extract other useful infomation such as the operating system or network interface. These are easily customisable within the QRadar platform, allowing users to customise their log and reporting capabilities.

For example, if an EC2 instance is using an operating system “outside of the norm”, it could be a case for flagging this for further investigation. Something such as Kali Linux, an OS typically used for Pen-testing/Network forensics — could be cause for concern.

Fig 1.2 — Offense trigger with detection of unauthorised operating system on EC2 events, along with massive creation of EC2 events within quick succession.

Stage 3–4 – EC2 instances loading infected cryptomining site and sending computed hashes to Attacker’s anonymous Wallet via intermediary such as Coinhive.

We can detect and anaylse these through integrations with QRadar Advisor with Watson (Fig 1.3), as well as User Behavioural Analytics (Fig 1.4).

Image for post
Image for post
Fig 1.3 — QRadar Advisor with Watson offering insights and observables linked with a cryptojacking instance. Diagram illustrating who was involved (root / user1), from what IP’s and observables behind the coinhive DNS.

QRadar Advisor with Watson offers Security Operations Analysts deeper insights into an offense through correlation of net flow data, log data, vulnerability data and threat intelligence feeds using STIX and TAXII. This significantly reduces the overall time to investigation and allows for better mitigation activities to follow; such as updating firewall rules, IPS or scheduling patches for the affected assets. Mitigation in this instance would be to ensure endpoints are using the latest browsers which either provide extensions to detect cryptojacking, or prompt the user prior to rending the website.

Most of these browser-based attacks exploit JavaScript, which is widely used across the web, and often allowed to run automatically in people’s web browsers by default. The Coinhive JavaScript miner, which is used for legitimate cryptocurrency mining activity on certain websites, is publicly distributed. And the independent cryptojacking scripts are either straightforward to code, or freely available to acquire from the Dark Web.

Image for post
Image for post
Fig 1.4 UBA Increasing risk profile of user root.

User Behavioural Analytics (UBA) is a fanastic integration with QRadar — primarily for analyzing user activity to detect malicious insiders or to determine if a user’s credentials have been compromised. This lends itself perfectly when detecting malicious activity using cloud credentials.

UBA integration with QRadar allows easy detection of potentially compromised accounts, taking into account activity seen. In this case, we’ve seen multiple access from 2 different geographies — followed by an EC2 instance using an unsupported OS — such as Kali Linux, then followed by creation of EC2 instances in quick succession.

UBA supplements the offense triggered by these events, showing the timeline of events and users involved — user allowing SOC analysts to quickly assess, stop or mitigate the impact.


Cryptomining Collections

Cryptojacking AWS Content Pack.

Add Threat Intelligence & Security Content to QRadar

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store