The EGI CSIRT has recently had several reports of malicious activities, where parts of infrastructures have been infected with cryptomining software. Crypto miners are tools that generate cryptocurrency, like Bitcoin. As these can generate profit relatively easily, it makes them very alluring for many people. Cryptomining software can be installed for example to container platforms and virtual or physical computers which are compromised or exposed to public with too open settings. There are also tools that run on client side, for example on web browsers, using JavaScript.

How can you recognize crypto miners?

A common way to detect a crypto miner running in your infrastructure is the load they generate. Cryptocurrency relies on computationally intensive calculations which may be detected, if you have proper monitoring in place. In the HPC and grid context this can be harder to detect, because the nodes are usually under a high load.

Another possible way of detection is analysis of network traffic. Yet, it may be difficult to distinguish this traffic from other types of communications.

Also files, processes and other irregularities linked to crypto miners present in the infected system might give clues of their existence.

How to protect yourself against crypto miners?

Keep your services updated and properly configured. Ensure, that services are only accessible for known and authenticated users. In case prevention fails, have proper monitoring and logging in place to detect and analyze what is happening and how the initial foothold was gained. If there is a crypto miner running, it is always possible that some other malware is planted there as well.