At the 60th Jubilee of IBM Hursley we demo’ed “Spot and Stop Cryptojackers” at the annual Festival of Innovation. It was an opportunity to showcase the power of QRadar, but also see the breadth of IBM’s technology. The vast array of technology intrigued me, particularly use cases for areas such as Artificial Intelligence, Machine Learning, Data Analytics, IoT, Cloud and Security.

In our demo, we explore how IBM’s QRadar can spot and stop cryptojacking in cloud computing offerings such as Amazon Web Services (AWS). QRadar is industry-leading Security Information Event and Management (SIEM) software, which provide log and flow aggregation, vulnerability and risk assessment, with out of the box “rules” for detecting behavioural and threshold related anomalies.

Fig 1.0 Exploiting AWS Credentials, Creating a crypto mining “farm”

Above, is the workflow of how an attack might play-out. Let’s take a classic phishing email for example;

(1) Attacker phishes user with convincing email with the purpose of obtaining AWS credentials.

(3) Attacker creates cloud based mining rig, spawning hundreds of EC2’s to execute mining scripts, or load browsers which are accessing a compromised site.

(4) Cryptomining hashes sent to an intermediary such as CoinHive who validate the transactions and transfers into an anonymous wallet.

(5) Attacker moves funds into anonymous wallet and withdraws to fiat currency via exchange.