Protect against cryptojacking
Expel-validated security alerts and guided investigative actions
Cryptojacking … the who, what, and why.
Cybercriminals: they’re always looking for new ways to make money. We often hear about holding data or systems for ransom. But what about cryptojacking? It’s when a threat actor steals your organization’s computing resources/power and uses it to mine various crypto-currency blockchains. The bad news: it can slow your network way down, and even shut down critical processes.
The attack can be pretty straightforward – no need to escalate privileges or move laterally to get to the host with the secret they need. As our end-of-year report indicated, 35% of the web application compromise incidents we saw in 2021 resulted in deployment of various cryptocurrency coin miners. It’s a sweet gig for the bad guys, too: after the miner is deployed, they can sit back, relax, and watch the money pile up.
How do they get in? Public application exploitation. Access key compromise. Phishing emails. USB devices. These are just some of the ways. And the list grows every year.
What are your biggest cryptojacking prevention challenges?
I need to know if coin miners are installed.
I need visibility (ideally EDR) into host activity that could be coin miner entry points.
I need a “playbook” for coin miner investigating and fixing.
I need recommendations to proactively mitigate exploitations used for cryptojacking.
How Expel spots cryptojacking attacks
We set up alerts for process command line arguments, strange process lineages, and network connections to well-known cryptojacking pool domains or to access cryptojacking utilities through multiple detection sources like EDR. We look for behavioral patterns. Then our bots, Josie™ and Ruxie™, get to work and automatically enrich and triage alerts, surfacing up Expel-validated alerts. We notify you of alerts that matter and will automatically remediate the incident (unless you prefer to handle remediations yourself).
- Reduce risk. We detect cryptojacking attacks fast so your business doesn’t slow down
- Maximize ROI. We leverage existing detection sources in your environment to detect cryptojacking
- Improve Security Posture. We recommend resilience measures to mitigate future attacks
Cryptojacking protection: Identify and remediate compromised accounts and access, unusual behavior and more.
Fortunately, attacker entry points for cryptojacking overlap with those for other threat types like ransomware, so focused efforts to reduce your cryptojacking attack surface can help protect against multiple problems.
The biggest value of Workbench™ is the automated correlation of ancillary data and information into the investigation. It's both beautiful and accessible. Having that context at my fingertips is saving me hours of investigation that I would have had to do on my own. ”
⎯Viren Shah | Director of Engineering
I was able to share context about our environment right in Workbench, which Expel D&R engineers could use to filter and approve access. Expel is really on top of our custom requirements for our environment.”
⎯Detection & Response Manager
Related Resources
Detecting Coin Miners with Palo Alto Networks NGFW
With cryptojacking on the rise, we walk through why we’ve found Palo Alto Networks next-generation firewall is great at detecting it, and some actions we’ve integrated into our detection bot to help.
Annual Threat Report 2024
Expel’s Annual Threat Report 2024 takes real-life cybersecurity lessons learned and transforms them into actionable insights for security operators.
Videos
Inside an Expel response
See why our median alert-to-fix timelines are shorter than the time it takes to deliver a pizza.
