Cloud Guard Alert Details
Alert ID: OCI-COMPROMISE-INFRA-7842
Alert Time: 2024-02-10 14:30:15 EST
Severity: CRITICAL (95/100)
Source: Oracle Cloud Guard (OCI Security Platform)
Rule: “Unauthorized Crypto Mining Activity Detected”
MITRE ATT&CK: T1584 – Compromise Infrastructure
Alert Details:
Finding: Compromised compute instance performing cryptocurrency mining
Instance Details:
– Instance Name: dev-build-server-03
– OCID: ocid1.instance.oc1.iad.xxxxxxxxx
– Compartment: Development
– Region: US East (Ashburn)
– Shape: VM.Standard.E3.Flex (16 OCPU, 128GB RAM)
– Launch Time: 2024-01-15
– Compromised Time: Approximately 2024-02-10 08:00 EST
Anomaly Detection:
– CPU Usage: Normal 15-30% → Now 98% sustained for 6+ hours
– Network Egress: Normal 50MB/day → Now 2.3GB in last hour
– Process List: Unauthorized mining processes detected
– Outbound Connections: Connections to known mining pools
Detected Processes:
– /usr/bin/xmrig (CPU miner)
– /tmp/.systemd/systemd-update (hidden mining process)
– /var/tmp/.ICE-unix/kworker (masquerading as kernel worker)
Network Connections:
– Destination: mining-pool[.]com:3333 (TCP)
– Destination: crypto.usa-west[.]pool:4444 (TCP)
– Destination: 185.143.221[.]89:8080 (C2/Proxy)
User Activity:
– Unauthorized SSH key added: “devops_temp_key”
– New user created: “ubuntu-update”
– Sudoers file modified to grant NOPASSWD to new user
Cloud Trail Analysis:
– 08:15: SSH login from 185.143.221[.]89 (Bulgaria)
– 08:17: wget downloaded from suspicious domain
– 08:20: Mining software installed
– 08:30: Process begins hiding itself
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Cloud Guard findings
OCI Console, Cloud Trail
Confirmed instance compromised with crypto miner
2. Immediate Containment
Isolate compromised instance
OCI Network Security Groups
Blocked all traffic to/from instance
3. Forensic Analysis
Investigate compromise scope
OCI Logging, CrowdStrike
Found SSH brute force from Bulgaria IP
4. Credential Review
Check for compromised keys
OCI IAM, Key Management
Developer SSH key compromised; rotated
5. Impact Assessment
Determine data exposure
Cloud Trail, Object Storage
No data accessed; only compute used for mining
6. Remediation
Rebuild instance
OCI Compute, Terraform
Instance terminated and rebuilt from clean image
Jira Incident Report
Ticket: SOC-2024-051
Summary: T1584 – Cloud Infrastructure Compromised for Crypto Mining
Status: RESOLVED
Resolution: MALICIOUS – Cryptojacking
Priority: P1 – HIGH
Labels: T1584, compromise-infrastructure, cloud-security, cryptojacking, oracle-cloud
Components: Cloud-Security, Incident-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Oracle Cloud Guard.
Alert: “Unauthorized Crypto Mining Activity Detected”.
Instance: dev-build-server-03 (Development environment).
Time: 2024-02-10 14:30 EST (detected), compromise began 08:00 EST.
Technique: MITRE ATT&CK T1584 – Compromise Infrastructure.
2. Technical Analysis:
Compromise Details:
Initial Access: SSH brute force attack from 185.143.221[.]89 (Bulgaria).
Vulnerability: Developer SSH key with weak passphrase exposed.
Entry Time: 2024-02-10 08:15 EST.
Dwell Time: 6 hours before detection.
Attacker Actions:
08:15 – SSH login from malicious IP
08:16 – Added unauthorized SSH key (devops_temp_key)
08:17 – Downloaded mining software from pastebin[.]com/raw/xyz
08:18 – Created user “ubuntu-update” with sudo privileges
08:20 – Installed xmrig miner
08:25 – Modified sudoers file for persistence
08:30 – Started mining processes, hid them as system processes
08:35 – Connected to mining pools
08:15-14:30 – Mining cryptocurrency (Monero)
Mining Activity:
Software: XMRig (Monero miner)
CPU Usage: 98% sustained
Hash Rate: Approximately 15 KH/s
Estimated Earnings: ~$50 in 6 hours (at attacker’s wallet)
Network Traffic: 2.3GB egress (mining pool communications)
Persistence Mechanisms:
Hidden process: /tmp/.systemd/systemd-update
Masquerading process: /var/tmp/.ICE-unix/kworker
Cron job: */10 * * * * /tmp/.systemd/systemd-update
SSH authorized_keys: Added attacker’s public key
3. Investigation Findings:
Timeline:
08:15 – Attacker gains access via compromised SSH key
08:15-08:35 – Mining software installed and configured
08:35-14:30 – Cryptomining continues undetected
14:30 – Cloud Guard anomaly detection triggers
14:32 – Instance isolated
14:35 – SOC investigation begins
15:00 – SSH key rotated, compromised user disabled
16:00 – Instance terminated and rebuilt
Root Cause Analysis:
Developer SSH key with weak passphrase stored in personal GitHub repo (public).
Key exposed for 3 days before attack.
Instance had public IP with SSH open to internet.
No MFA for SSH access.
Indicators of Compromise (IoCs):
Network:
– Attacker IP: 185.143.221[.]89
– Mining Pools: mining-pool[.]com:3333, crypto.usa-west[.]pool:4444
– Download URL: pastebin[.]com/raw/xyz
Files:
– /usr/bin/xmrig (SHA256: 7a8b9c0d1e2f…)
– /tmp/.systemd/systemd-update
– /var/tmp/.ICE-unix/kworker
Users:
– ubuntu-update (unauthorized)
– SSH key: “devops_temp_key” added to authorized_keys
4. Containment Actions:
Immediate Containment (14:32-14:45 EST):
Isolated instance via OCI Network Security Groups.
Blocked all inbound/outbound traffic.
Terminated active SSH sessions.
Credential Remediation (14:45-15:30 EST):
Rotated all SSH keys for the compromised developer.
Disabled compromised user account pending investigation.
Reviewed all SSH keys in development environment.
Instance Remediation (15:30-16:00 EST):
Terminated compromised instance.
Launched new instance from clean image.
Applied security hardening (SSH key-only, MFA, restricted IPs).
5. Business Impact:
Financial Impact: ~$150 in cloud compute costs for mining (plus investigation time).
Operational Impact: Development build server offline for 2 hours.
Data Exposure: No customer or sensitive data accessed.
Reputational Impact: None.
6. Remediation & Prevention:
Completed Actions:
Compromised instance terminated and rebuilt.
SSH keys rotated.
IOCs added to blocklists.
Developer educated on key security.
Technical Controls Enhanced:
Implemented MFA for all SSH access.
Restricted SSH to corporate VPN only (no public exposure).
Deployed CrowdStrike Falcon on all cloud instances.
Enhanced Cloud Guard rules for cryptomining detection.
Implemented automated instance isolation on anomaly detection.
7. Conclusion:
This incident involved the compromise of a cloud development server via an exposed SSH key, leading to cryptomining. The attacker gained access through a key leaked on GitHub and used the instance for Monero mining. Rapid detection by Cloud Guard and containment minimized impact.
Closure Rationale: Instance remediated; security controls enhanced; no data breach.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-10 17:00 EST