• This topic has 2 replies, 3 voices, and was last updated March 25, 2021 by Brian C.

IDS detecting Bitcoin Mining activity.

  • John W
    January 14, 2021 08:38:15 PM

    Good afternoon,

    We have Zert0 and have been a happy user for a few years. Recently we have been getting reports of Bit mining activity in this environment. Has anyone seen this kind of detection in their network?  Our reseller has had a look and reports back that it is a false positive.  I am curious if anyone else has seen this port activity?

    ***************************************

    Incident Summary

    The SOC has received an alert for ‘IPS DROP: 49471 VID54842 Stratum Bitcoin Mining Protocol Detected Outbound (AUP – Cryptomining)’ from your iSensor device (xxx.xxx.xxx.100/isensor01) for traffic (Blocked) sourcing from port 40764/tcp of xxx.xxx.xxx.80 and destined to port 9093/tcp of 172.16.255.xxx that occurred on 2021-01-08 at 15:37:52. This activity indicates that xxx.xxx.xxx.80 is involved in Bitcoin mining activity. If you have any further questions or concerns, please let us know either by corresponding to us via this ticket and delegating the ticket back to the SOC, or by calling us at 877-838-7960. If you would like us to block or allow an IP address on your managed firewalls or iSensors, please select the “Block/Allow” tab on the left from the Portal.  Sincerely, SecureWorks SOC
    Chris R
    January 18, 2021 08:45:55 AM

    Hi John

    I’ve not seen this myself but i’d raise a support ticket and get one of the support engineers to look into the logs for you

    Regards

    Chris Rogers

    Brian C
    March 25, 2021 02:19:30 PM

    John,

    Did you ever figure anything out? I got the same alert today:

    Incident Summary

    The SOC has received an alert for ‘49471 VID54842 Stratum Bitcoin Mining Protocol Detected Outbound (AUP – Cryptomining)’ from your iSensor device (*.*.*.*/newisensorscs) for traffic (Not Blocked) sourcing from port 48628/tcp of *.*.*.* and destined to port 4008/tcp of *.*.*.* that occurred on 2021-03-25 at 04:31:57. This activity indicates that *.*.*.* is involved in Bitcoin mining activity. If you have any further questions or concerns, please let us know either by corresponding to us via this ticket and delegating the ticket back to the SOC, or by calling us at 877-838-7960. If you would like us to block or allow an IP address on your managed firewalls or iSensors, please select the “Block/Allow” tab on the left from the Portal. To learn more, please visit https://portal.secureworks.com/portal/help/IP_Blocks_and_Allows.htm?rhhlterm=trust&rhsyns=%20#Adding_iSensor_IP_Allows_from_the_Incidents_Module
    Seems to be a false positive b/c its from one zerto appliance to another zerto appliance… but still annoying that it trips these alarms.
You must be logged in to create new topics. Click here to login