Cloud Guard Alert Details
Alert ID: OCI-COMPROMISE-INFRA-7842
Alert Time: 2024-02-10 14:30:15 EST
Severity: CRITICAL (95/100)
Source: Oracle Cloud Guard (OCI Security Platform)
Rule: “Unauthorized Crypto Mining Activity Detected”
MITRE ATT&CK: T1584 – Compromise Infrastructure
Alert Details:
Finding: Compromised compute instance performing cryptocurrency mining
Instance Details:
– Instance Name: dev-build-server-03
– OCID: ocid1.instance.oc1.iad.xxxxxxxxx
– Compartment: Development
– Region: US East (Ashburn)
– Shape: VM.Standard.E3.Flex (16 OCPU, 128GB RAM)
– Launch Time: 2024-01-15
– Compromised Time: Approximately 2024-02-10 08:00 EST
Anomaly Detection:
– CPU Usage: Normal 15-30% → Now 98% sustained for 6+ hours
– Network Egress: Normal 50MB/day → Now 2.3GB in last hour
– Process List: Unauthorized mining processes detected
– Outbound Connections: Connections to known mining pools
Detected Processes:
– /usr/bin/xmrig (CPU miner)
– /tmp/.systemd/systemd-update (hidden mining process)
– /var/tmp/.ICE-unix/kworker (masquerading as kernel worker)
Network Connections:
– Destination: mining-pool[.]com:3333 (TCP)
– Destination: crypto.usa-west[.]pool:4444 (TCP)
– Destination: 185.143.221[.]89:8080 (C2/Proxy)
User Activity:
– Unauthorized SSH key added: “devops_temp_key”
– New user created: “ubuntu-update”
– Sudoers file modified to grant NOPASSWD to new user
Cloud Trail Analysis:
– 08:15: SSH login from 185.143.221[.]89 (Bulgaria)
– 08:17: wget downloaded from suspicious domain
– 08:20: Mining software installed
– 08:30: Process begins hiding itself
SOC Investigation Process
| Step | Action | Tools Used | Findings |
|---|---|---|---|
| 1. Alert Validation | Verify Cloud Guard findings | OCI Console, Cloud Trail | Confirmed instance compromised with crypto miner |
| 2. Immediate Containment | Isolate compromised instance | OCI Network Security Groups | Blocked all traffic to/from instance |
| 3. Forensic Analysis | Investigate compromise scope | OCI Logging, CrowdStrike | Found SSH brute force from Bulgaria IP |
| 4. Credential Review | Check for compromised keys | OCI IAM, Key Management | Developer SSH key compromised; rotated |
| 5. Impact Assessment | Determine data exposure | Cloud Trail, Object Storage | No data accessed; only compute used for mining |
| 6. Remediation | Rebuild instance | OCI Compute, Terraform | Instance terminated and rebuilt from clean image |
Jira Incident Report
Ticket: SOC-2024-051
Summary: T1584 – Cloud Infrastructure Compromised for Crypto Mining
Status: RESOLVED
Resolution: MALICIOUS – Cryptojacking
Priority: P1 – HIGH
Labels: T1584, compromise-infrastructure, cloud-security, cryptojacking, oracle-cloud
Components: Cloud-Security, Incident-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
- Detection Source: Oracle Cloud Guard.
- Alert: “Unauthorized Crypto Mining Activity Detected”.
- Instance: dev-build-server-03 (Development environment).
- Time: 2024-02-10 14:30 EST (detected), compromise began 08:00 EST.
- Technique: MITRE ATT&CK T1584 – Compromise Infrastructure.
2. Technical Analysis:
- Compromise Details:
- Initial Access: SSH brute force attack from 185.143.221[.]89 (Bulgaria).
- Vulnerability: Developer SSH key with weak passphrase exposed.
- Entry Time: 2024-02-10 08:15 EST.
- Dwell Time: 6 hours before detection.
- Attacker Actions:
08:15 – SSH login from malicious IP
08:16 – Added unauthorized SSH key (devops_temp_key)
08:17 – Downloaded mining software from pastebin[.]com/raw/xyz
08:18 – Created user “ubuntu-update” with sudo privileges
08:20 – Installed xmrig miner
08:25 – Modified sudoers file for persistence
08:30 – Started mining processes, hid them as system processes
08:35 – Connected to mining pools
08:15-14:30 – Mining cryptocurrency (Monero)
- Mining Activity:
- Software: XMRig (Monero miner)
- CPU Usage: 98% sustained
- Hash Rate: Approximately 15 KH/s
- Estimated Earnings: ~$50 in 6 hours (at attacker’s wallet)
- Network Traffic: 2.3GB egress (mining pool communications)
- Persistence Mechanisms:
- Hidden process: /tmp/.systemd/systemd-update
- Masquerading process: /var/tmp/.ICE-unix/kworker
- Cron job: */10 * * * * /tmp/.systemd/systemd-update
- SSH authorized_keys: Added attacker’s public key
3. Investigation Findings:
- Timeline:
08:15 – Attacker gains access via compromised SSH key
08:15-08:35 – Mining software installed and configured
08:35-14:30 – Cryptomining continues undetected
14:30 – Cloud Guard anomaly detection triggers
14:32 – Instance isolated
14:35 – SOC investigation begins
15:00 – SSH key rotated, compromised user disabled
16:00 – Instance terminated and rebuilt
- Root Cause Analysis:
- Developer SSH key with weak passphrase stored in personal GitHub repo (public).
- Key exposed for 3 days before attack.
- Instance had public IP with SSH open to internet.
- No MFA for SSH access.
- Indicators of Compromise (IoCs):
Network:
– Attacker IP: 185.143.221[.]89
– Mining Pools: mining-pool[.]com:3333, crypto.usa-west[.]pool:4444
– Download URL: pastebin[.]com/raw/xyz
Files:
– /usr/bin/xmrig (SHA256: 7a8b9c0d1e2f…)
– /tmp/.systemd/systemd-update
– /var/tmp/.ICE-unix/kworker
Users:
– ubuntu-update (unauthorized)
– SSH key: “devops_temp_key” added to authorized_keys
4. Containment Actions:
- Immediate Containment (14:32-14:45 EST):
- Isolated instance via OCI Network Security Groups.
- Blocked all inbound/outbound traffic.
- Terminated active SSH sessions.
- Credential Remediation (14:45-15:30 EST):
- Rotated all SSH keys for the compromised developer.
- Disabled compromised user account pending investigation.
- Reviewed all SSH keys in development environment.
- Instance Remediation (15:30-16:00 EST):
- Terminated compromised instance.
- Launched new instance from clean image.
- Applied security hardening (SSH key-only, MFA, restricted IPs).
5. Business Impact:
- Financial Impact: ~$150 in cloud compute costs for mining (plus investigation time).
- Operational Impact: Development build server offline for 2 hours.
- Data Exposure: No customer or sensitive data accessed.
- Reputational Impact: None.
6. Remediation & Prevention:
Completed Actions:
Compromised instance terminated and rebuilt.
SSH keys rotated.
IOCs added to blocklists.
Developer educated on key security.
Technical Controls Enhanced:
Implemented MFA for all SSH access.
Restricted SSH to corporate VPN only (no public exposure).
Deployed CrowdStrike Falcon on all cloud instances.
Enhanced Cloud Guard rules for cryptomining detection.
Implemented automated instance isolation on anomaly detection.
7. Conclusion:
This incident involved the compromise of a cloud development server via an exposed SSH key, leading to cryptomining. The attacker gained access through a key leaked on GitHub and used the instance for Monero mining. Rapid detection by Cloud Guard and containment minimized impact.
Closure Rationale: Instance remediated; security controls enhanced; no data breach.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-10 17:00 EST