Workload executed a binary with cryptomining configuration data

Description

A workload spawned a process that executed unique arguments linked with Bitcoin or other cryptocurrency-mining related activity.

Attackers often compromise cloud infrastructure to deploy high-capacity compute resources to mine cryptocurrency. These compromises negatively impact business costs and the availability of resources.

Remediation

  1. Contain the incident by isolating or terminating the resource. Consider snapshotting to enable further analysis.
  2. Review the associated vulnerabilities and misconfigurations on the resource to determine the root cause for the compromise
  3. Patch or fix the vulnerabilities and misconfigurations on the relevant infrastructure deployment mechanism (Terraform, helm, etc) or apply the most recent software patch available to prevent future continual compromise.
  4. Reference the AWS Incident Response Playbook for cryptomining for further guidance.

Requires agent version 7.27 or greater