- This topic has 4 replies, 5 voices, and was last updated January 25, 2023 by
Lucas J.
IDS detecting Bitcoin Mining activity.
-
John WJanuary 14, 2021 08:38:15 PM
Good afternoon,
We have Zert0 and have been a happy user for a few years. Recently we have been getting reports of Bit mining activity in this environment. Has anyone seen this kind of detection in their network? Our reseller has had a look and reports back that it is a false positive. I am curious if anyone else has seen this port activity?
***************************************
Incident Summary
The SOC has received an alert for ‘IPS DROP: 49471 VID54842 Stratum Bitcoin Mining Protocol Detected Outbound (AUP – Cryptomining)’ from your iSensor device (xxx.xxx.xxx.100/isensor01) for traffic (Blocked) sourcing from port 40764/tcp of xxx.xxx.xxx.80 and destined to port 9093/tcp of 172.16.255.xxx that occurred on 2021-01-08 at 15:37:52. This activity indicates that xxx.xxx.xxx.80 is involved in Bitcoin mining activity. If you have any further questions or concerns, please let us know either by corresponding to us via this ticket and delegating the ticket back to the SOC, or by calling us at 877-838-7960. If you would like us to block or allow an IP address on your managed firewalls or iSensors, please select the “Block/Allow” tab on the left from the Portal. Sincerely, SecureWorks SOCChris RJanuary 18, 2021 08:45:55 AMHi John
I’ve not seen this myself but i’d raise a support ticket and get one of the support engineers to look into the logs for you
Regards
Chris Rogers
Brian CMarch 25, 2021 02:19:30 PMJohn,
Did you ever figure anything out? I got the same alert today:
Incident Summary
The SOC has received an alert for ‘49471 VID54842 Stratum Bitcoin Mining Protocol Detected Outbound (AUP – Cryptomining)’ from your iSensor device (*.*.*.*/newisensorscs) for traffic (Not Blocked) sourcing from port 48628/tcp of *.*.*.* and destined to port 4008/tcp of *.*.*.* that occurred on 2021-03-25 at 04:31:57. This activity indicates that *.*.*.* is involved in Bitcoin mining activity. If you have any further questions or concerns, please let us know either by corresponding to us via this ticket and delegating the ticket back to the SOC, or by calling us at 877-838-7960. If you would like us to block or allow an IP address on your managed firewalls or iSensors, please select the “Block/Allow” tab on the left from the Portal. To learn more, please visit https://portal.secureworks.com/portal/help/IP_Blocks_and_Allows.htm?rhhlterm=trust&rhsyns=%20#Adding_iSensor_IP_Allows_from_the_Incidents_ModuleSeems to be a false positive b/c its from one zerto appliance to another zerto appliance… but still annoying that it trips these alarms.thanks for info
Lucas JJanuary 25, 2023 03:44:19 PMIt’s important to have an IDS (Intrusion Detection System) in place to detect Bitcoin mining activity. Bitcoin mining is the process of adding new transactions to the blockchain, and it requires a significant amount of computational power. Unfortunately, some individuals may use malware to take control of other people’s computers or servers to use them to mine Bitcoin without the owners’ knowledge or consent. This can cause damage to the affected machines and can also lead to a loss of resources and revenue. By using an IDS to detect Bitcoin mining activity, it can help organizations to quickly identify published content and respond to any unauthorized mining activity on their networks, and take appropriate action to stop it. It is also important to have a good endpoint security solution in place to prevent the intrusion of malware and unauthorized access to the network.