Cryptocurrency Mining?

L4 Transporter

Cryptocurrency Mining?

Hi folks,

 

We recently had a pen test and had positive results.  We do not use URL filtering, but have everything else.

However, on 12/24/2017 we can now see a reboot.txt file sitting in our Windows\temp directory on an Oracle OAM server.

Luckly, Carbon Black flagged the file as it was trying to be run and denied, running from cmd.exe.

 

We can also see a new Windows task scheduler task created on 1/2/2017 that calls to run schtask1.ps1, that we did not create.  Also cannot find that file.  Did a restore of the VM to 12/21/2017, no trace of these new files and settings.

 

We continue to our threat alerts denying malicious traffic.  Quick searches so far seem to indicate cryptocurrency mining. 

I see there are a couple of PA references out there for this.

 

Curious if anyone has any comments as we continue our investigation or any of this rings a bell?

I've been searching our traffic logs for cryptocurreny as mentioned here, but nothing so far.

https://www.reddit.com/r/paloaltonetworks/comments/6n2781/how_can_i_detect_bitcoin_traffic_pan_7011_...

 

 

L7 Applicator

Re: Cryptocurrency Mining?

Hello,

Sorry for your troubles, never a good time. As a quick solution, you may want to try the following. While you wont get the bells and whistles without being a customer, it will block DNS qureies to their known bad sites:

 

https://www.opendns.com/setupguide/

 

Also take a look at https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-DNS-Sinkhole/ta-p/58891

 

Regards,

L7 Applicator

Re: Cryptocurrency Mining?

@OMatlock,

The steps mentioned in that Reddit article are pretty good, and would be my immediate reaction. Honestly though you should really be looking at how someone was able to access your OAM server in the first place and mitigate that. Crypto mining isn't really a 'threat' per say, since they are just stealing your resources. However, if enough access to your server is actually allowed for this to happen then you could be leaving yourself open to bigger issues in the future. 

L4 Transporter

Re: Cryptocurrency Mining?

Thank you for the feedback folks.

 

BPry

Yes, I we are wondering how access was gained.  This is a server behind our PA with an internal IP, behind a load balancer with an internal IP.  We do NAT of course from a public IP to the load balancer private IP.

 

We do see that there are several Weblogic patches for vulnerabilities, and we are likely out of date.  But trying to figure out how access was gained in the first place.

 

Still investigating...

L4 Transporter

Re: Cryptocurrency Mining?

BPry

Otakar.Klier

 

I see there are wildfire traffic and threat detection coming from this server in question.  The rule is an outbound to internet rule.

Would this mean that this server is in fact infected some how?

Since it is using wildfire, would that mean unknown or zero day perhaps?

threat2.jpg

 

I also see this server attempting to reach out to the internet and session ends in threat.

threat.jpg

L7 Applicator

Re: Cryptocurrency Mining?

I would say that its a safe bet the system is compromised. I would not hestitate to implement your incident response plan if you have one.

L4 Transporter

Re: Cryptocurrency Mining?

Thank you Otakar.Klier

 

Would you know if the reset-both action means that the traffic is denied or dropped?

I mean that's what the PA is doing here, right?

Detecting the attempts of outgoing traffic as malcious?

L7 Applicator

Re: Cryptocurrency Mining?

You are correct. PAN see's malicious traffic and is blocking it.

 

There are several types of actions the PAN can take.

 

  • a silent drop is useful if obscurity is preferred.
  • reset-client is useful when user experience is key, the application will immediately be able to let the user know a connection is not available.
  • reset-server is useful when internal resources need to be protected from excessive resource consumption due to half-open sockets.
  • reset-both will provide best user experience and protect servers' resources, but may facilitate malicious use.
  • zone protection will add protective mechanisms that allow a more userfriendly experience while still protecting against abuse.

A reset both just means that the PAN sent a close socket to both the attacker and victim in this case to prevent a DoS scenario.

L7 Applicator

Re: Cryptocurrency Mining?

Here is some info on those IP's:

 

https://www.virustotal.com/en/ip-address/165.227.215.25/information/

 

https://www.virustotal.com/en/ip-address/72.11.140.178/information/

 

I would say it depends on what you are looking for as your next steps. Some like to let the traffic continue and try and analyze to see if they can figure out where it can from. Others just want to shut it down ASAP, meaning put in policies to deny traffic to/from those IP's and any others that are not legit.

L4 Transporter

Re: Cryptocurrency Mining?

Thanks again. 

 

I guess the trick is to know which are legit or not, and block them automatically if not legit.

 

We have not made any changes to remediate yet, since Carbon Black seems to be preventing it to run and PA is blocking traffic.  But don't know how it got there in the first place.

 

We have a call with a security provider tomorrow morning...will update. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!