An overview of using AWS GuardDuty to detect crypto mining
Introduction
Over this past holiday season, I was gifted some crypto coins to begin my investment journey. I’m a college student majoring in Business Information Technology, and like many others in the Gen Z generation, I believe cryptocurrency will be a major component in the future of finance. Cryptocurrency, nonfungible tokens (NFTs), and metaverse land (just to name a few) will be investment instruments for my and future generations just as stocks and bonds were for previous generations.
Before sinking your hard earned money into any investments, you must do the required research into the asset. In my case, I first want to understand why crypto has value. Well, if you think about it, why does gold have value? Any currency can have value if societies believe that it has value, and that they’d use that currency to exchange for goods. Another important characteristic is that a currency must have a limited supply, and not just anyone can create them in abundance, which is something both cryptocurrency like Bitcoin and gold possess. After understanding that concept, I want to learn how cryptocurrency coins are created. Luckily, I don’t have to grab a pickaxe and start digging. The way new coins are created is called crypto mining, which requires computers with special software specifically used to solve complicated, cryptographic equations.
Crypto Mining
Because crypto mining is computer intensive and expensive, unscrupulous miners have created mining bots in the form of malware. The malware infects computers on the internet, and the infected computers are controlled to do crypto mining in the background. In effect, your electricity and internet are used to enrich the bad guy with cryptocurrency. In particular, mining bot will often target servers and virtual machines in the cloud and data centers, as those platforms tend to be more powerful computationally than home computers.
As a cyber security engineer in training, I was interested to learn what can be done to detect and eliminate the threat of mining bots. Since I have been working on obtaining my AWS Solution Architect certification, and knowing how widely used Amazon EC2 servers are, I decided to focus on detecting crypto miners running in EC2 instances. The good news is that the detection is pretty simple to set up using the Amazon GuardDuty service. Let me show you how.
Protect Against Unauthorized Crypto Mining
Getting Started on AWS
You must create an account on AWS to get started. It’s pretty simple, you can follow the instructions on this AWS Support page. You will need a credit card to create an account, but the setup I will show you won’t cost anything as it qualifies for the AWS Free Tier.
Enable GuardDuty
Straight from AWS, AWS GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. Once enabled, GuardDuty will monitor for crypto mining traffic on your network. One known behavior of crypto miners is that it will connect over the network back to the mothership mining pool. Therefore, GuardDuty will look for network traffic going to destination IP addresses that are associated with cryptocurrency-related activity such as Bitcoin mining. Out of the box, GuardDuty knows what crypto destination IP addresses it must monitor for, to which you can add your own list of suspicious endpoints.
From the AWS console, search for GuardDuty in the search bar, then choose GuardDuty in the search result.
Once on the GuardDuty console, activate it for first-time use by choosing “Enable GuardDuty”.
Create EC2 Instance
Now we will create an EC2 server, and simulate that it’s been hijacked to perform unauthorized crypto mining. Let’s head over to the EC2 console and create an instance. On the AWS console, search for EC2 in the search bar. Choose Launch Instance.
- Choose Amazon Linux 2 as the Amazon Machine Image (AMI)
- Choose the t2.micro Free Tier instance type
- Choose Next: Configure Instance Details. Leave default values
- Choose Next: Add Storage. Leave default values
- Choose Next: Add Tags. Leave default values
- Choose Next: Configure Security Groups. Leave default values to have a new security group related. The security group will allow you to SSH to the EC2 instance.
7. Choose Review and Launch
8. Choose Launch.
9. Choose to create a new SSH key pair. Give it a name, and download it. Choose Launch instance
10. After a few minutes, check on the EC2 dashboard, you should see that your instance is running
11. Choose the instance, then choose Connect
12. Choose connect again
13. You are now at the command shell for the EC2 instance
Crypto Miner Traffic
Let’s simulate some crypto miner traffic using the instructions from this AWS Lab. From the shell, run the command below. The command uses “curl” to generate an HTTP request to pool.minergate.com domain, which is a known crypto mining pool. Run the command a few times.
curl -s http://pool.minergate.com/dkjdjkjdlsajdkljalsskajdksakjdksajkllalkdjsalkjdsalkjdlkasj > /dev/null &
After 30 minutes or so, head over to the GuardDuty console and see if we got any findings. On the Findings page, you should see findings of the type CryptoCurrency:EC2.
Per AWS Support, that finding indicates cryptocurrency-related activity such as Bitcoin mining. In the Resource column, click on the affected instance. On the panel on the right, you can see the action that triggered the finding was a DNS request for poolmintergate.com. If you don’t expect this behavior, it’s probably an unauthorized activity in your AWS account. If so, you should take action to patch or shutdown that infected EC2 instance.
Conclusion
In this article, we learned a bit about crypto mining, and why crypto miners might hijack your servers to perform unauthorized mining. If you’re running workloads on AWS, we saw how simple it was to turn on GuardDuty to catch crypto mining network traffic.
In the future, I will show how to configure AWS to automatically take actions when there are AWS GuardDuty findings related to crypto mining. For example, we can alert an operator, or even automatically block traffic on the affected EC2 instance to the crypto site.
P.S. Don’t forget to terminate your EC2 instance
