The ALERT
At 5.06pm, on Monday 7th December, 2020, Think I.T. received an AMBER security alert generated by one of our internet security products. A medical client’s network was making a very high number of attempts, over 2000 per hour, to gain access to ‘worker.minero.cc’, a known bitcoin mining site that was blocked by our security tool.
Upon investigation, it was found a single Windows PC was the source of the infection. To expedite remediation and reduce the chance of spread, the infected computer was shut down by Think I.T. Following shut down, the activity that caused the alert ceased.
Why was the alert generated? What impact could it have had?
You may be wondering why bitcoin mining would generate an amber alert, be blocked by our security tool, and require immediate remediation. Bitcoin mining is a business or sideline income earner for many people, so what is the problem?
If Bitcoin mining had been successful, this would have impacted on the performance of:
The download could have included the ability to spread laterally. This is where the program looks for other computers on the network and spreads itself to be more effective. This would have caused a performance decrease for all computers and users.
The program download, and installation for Bitcoin mining, can contain other background activities. This has the potential to infect the network with a virus that could ransom the network or extract data to be held to ransom.
The questions it raised for us were:
So how did it get there?
The teenage son of one of the practitioners, while killing time, downloaded a game onto a work computer. Bitcoin mining was not part of the game. It infected the computer by being part of the installation for the game. The teenager did not know it had installed in the background. This could have as easily been ransomware.
How could this have been prevented?
A few months before the attack, Think I.T. installed a new internet security service to all our managed clients. This service provides DNS filtering, meaning it checks all website requests against a database of known sites to avoid. Some sites are automatically blocked however others will send an alert, as in this case, due to the nature of the type of site being visited and the possible repercussions. Without this solution, Think I.T. would not have detected the attack in its early stages.
Think I.T. has a sophisticated virus protection solution across all our managed sites. Traditional virus protection looks at the file and checks for specific known signatures, blocking the execution when it finds one. The new Endpoint Detection and Response (EDR) solution can still detect viruses via the same method however, EDRs take protection to a new level. With Think I.T.’s EDR solution, this incident would not have taken place as the installation of the gaming software would have been blocked automatically by the Application Control feature.
Some of the features of the new EDR solution are:
Get in touch with us to find out more about our EDR solution and how we can help secure your business.