- This topic has 9 replies, 9 voices, and was last updated October 6, 2023 by John W.
IDS detecting Bitcoin Mining activity.
-
John WJanuary 14, 2021 08:38:15 PM
Good afternoon,
We have Zert0 and have been a happy user for a few years. Recently we have been getting reports of Bit mining activity in this environment. Has anyone seen this kind of detection in their network? Our reseller has had a look and reports back that it is a false positive. I am curious if anyone else has seen this port activity?
***************************************
Incident Summary
The SOC has received an alert for ‘IPS DROP: 49471 VID54842 Stratum Bitcoin Mining Protocol Detected Outbound (AUP – Cryptomining)’ from your iSensor device (xxx.xxx.xxx.100/isensor01) for traffic (Blocked) sourcing from port 40764/tcp of xxx.xxx.xxx.80 and destined to port 9093/tcp of 172.16.255.xxx that occurred on 2021-01-08 at 15:37:52. This activity indicates that xxx.xxx.xxx.80 is involved in Bitcoin mining activity. If you have any further questions or concerns, please let us know either by corresponding to us via this ticket and delegating the ticket back to the SOC, or by calling us at 877-838-7960. If you would like us to block or allow an IP address on your managed firewalls or iSensors, please select the “Block/Allow” tab on the left from the Portal. Sincerely, SecureWorks SOCChris RJanuary 18, 2021 08:45:55 AMHi John
I’ve not seen this myself but i’d raise a support ticket and get one of the support engineers to look into the logs for you
Regards
Chris Rogers
Brian CMarch 25, 2021 02:19:30 PMJohn,
Did you ever figure anything out? I got the same alert today:
Incident Summary
The SOC has received an alert for ‘49471 VID54842 Stratum Bitcoin Mining Protocol Detected Outbound (AUP – Cryptomining)’ from your iSensor device (*.*.*.*/newisensorscs) for traffic (Not Blocked) sourcing from port 48628/tcp of *.*.*.* and destined to port 4008/tcp of *.*.*.* that occurred on 2021-03-25 at 04:31:57. This activity indicates that *.*.*.* is involved in Bitcoin mining activity. If you have any further questions or concerns, please let us know either by corresponding to us via this ticket and delegating the ticket back to the SOC, or by calling us at 877-838-7960. If you would like us to block or allow an IP address on your managed firewalls or iSensors, please select the “Block/Allow” tab on the left from the Portal. To learn more, please visit https://portal.secureworks.com/portal/help/IP_Blocks_and_Allows.htm?rhhlterm=trust&rhsyns=%20#Adding_iSensor_IP_Allows_from_the_Incidents_ModuleSeems to be a false positive b/c its from one zerto appliance to another zerto appliance… but still annoying that it trips these alarms.thanks for info
It’s important to have an IDS (Intrusion Detection System) in place to detect Bitcoin mining activity. Bitcoin mining is the process of adding new transactions to the blockchain, and it requires a significant amount of computational power. Unfortunately, some individuals may use malware to take control of other people’s computers or servers to use them to mine Bitcoin without the owners’ knowledge or consent. This can cause damage to the affected machines and can also lead to a loss of resources and revenue. By using an IDS to detect Bitcoin mining activity, it can help organizations to quickly identify published content and respond to any unauthorized mining activity on their networks, and take appropriate action to stop it. It is also important to have a good endpoint security solution in place to prevent the intrusion of malware and unauthorized access to the network.
Detecting Bitcoin mining activity and cryptocurrency scripts can be challenging as they often use legitimate system resources and network activity. However, Intrusion Detection Systems (IDS) can help in identifying some of the common patterns of such activities.
Some of the methods that can be used by IDS to detect Bitcoin mining activity and cryptocurrency scripts are:
- Signature-based detection: This method involves matching known patterns of Bitcoin mining software and cryptocurrency script with the network traffic to identify the presence of such activity.
- Anomaly detection: This method involves monitoring network traffic and system resource usage to identify unusual patterns of behavior that may be indicative of Bitcoin mining activity or cryptocurrency scripts.
- Behavioral analysis: This method involves analyzing the behavior of processes on the system to identify processes that are using a large amount of system resources or are performing unusual actions that may be associated with Bitcoin mining activity or cryptocurrency scripts.
Our meraki dashboard produced IDS alerts for Mutli Coin CPU miners on our zerto z-vra instances – we thought these might be false positives but packet inspection showed signs of malicious commands being issued
Intrusion Detection Systems (IDS) are crucial in identifying Bitcoin mining activities, which can often be masked as benign processes. I recall a case where a company’s network was slowed down significantly. After a thorough investigation, it was discovered that a rogue employee had installed a Bitcoin miner on several systems. The IDS was able to detect the unusual network traffic and CPU usage, leading to the discovery. For those interested in Bitcoin, I’d suggest checking out bitcoin rpc node – it’s a reliable Bitcoin RPC node that I’ve found useful in my own crypto journey.
Brandon LAugust 22, 2023 10:29:09 PMWe are seeing the same thing running 9.7 U3. Support directed us to uninstall and reinstall our VRAs, but this seems off to me. Wouldn’t this just redeploy the exact same VRA template to our hosts? Regardless, we are going to try it with a few of our clustered hosts.
Having said this, if this corrects the issue I can’t help but assume that there was a security vulnerability that I either missed or was never published. I’d appreciate a link to the Zerto article if it was previously announced as I must have missed it and still can’t find it.
Tagged: SecurityJohn WOctober 6, 2023 11:38:15 PMBrandon L, how did the reinstall go? We are using a different IDS and its not being tagged for activity.
Hope all goes well,
John W
The forum ‘VMware’ is closed to new topics and replies.