A Malicious Infection
A Virus Infection Case Study
At 5.06pm, on Monday 7th December, 2020, Think I.T. received an AMBER security alert generated by one of our internet security products. A medical client's network was making a very high number of attempts, over 2000 per hour, to gain access to ‘worker.minero.cc’, a known bitcoin mining site that was blocked by our security tool.
Upon investigation, it was found a single Windows PC was the source of the infection. To expedite remediation and reduce the chance of spread, the infected computer was shut down by Think I.T. Following shut down, the activity that caused the alert ceased.
At 5.06pm, on Monday 7th December, 2020, Think I.T. received an AMBER security alert generated by one of our internet security products. A medical client's network was making a very high number of attempts, over 2000 per hour, to gain access to ‘worker.minero.cc’, a known bitcoin mining site that was blocked by our security tool.
Upon investigation, it was found a single Windows PC was the source of the infection. To expedite remediation and reduce the chance of spread, the infected computer was shut down by Think I.T. Following shut down, the activity that caused the alert ceased.
The ALERT
At 5.06pm, on Monday 7th December, 2020, Think I.T. received an AMBER security alert generated by one of our internet security products. A medical client’s network was making a very high number of attempts, over 2000 per hour, to gain access to ‘worker.minero.cc’, a known bitcoin mining site that was blocked by our security tool.
Upon investigation, it was found a single Windows PC was the source of the infection. To expedite remediation and reduce the chance of spread, the infected computer was shut down by Think I.T. Following shut down, the activity that caused the alert ceased.
Why was the alert generated? What impact could it have had?
You may be wondering why bitcoin mining would generate an amber alert, be blocked by our security tool, and require immediate remediation. Bitcoin mining is a business or sideline income earner for many people, so what is the problem?
If Bitcoin mining had been successful, this would have impacted on the performance of:
- The local PC – the PC would likely have experienced a performance decrease due to the background activity of Bitcoin mining.
- The Internet connection – the internet connection would have been slower for users especially for any users connecting remotely.
The download could have included the ability to spread laterally. This is where the program looks for other computers on the network and spreads itself to be more effective. This would have caused a performance decrease for all computers and users.
The program download, and installation for Bitcoin mining, can contain other background activities. This has the potential to infect the network with a virus that could ransom the network or extract data to be held to ransom.
The questions it raised for us were:
- Bitcoin mining is not a business process expected from a medical practice. So why is this activity taking place in one?
- Bitcoin mining requires a program that must be installed onto a computer. So how did it get onto the computer at this medical practice?
So how did it get there?
The teenage son of one of the practitioners, while killing time, downloaded a game onto a work computer. Bitcoin mining was not part of the game. It infected the computer by being part of the installation for the game. The teenager did not know it had installed in the background. This could have as easily been ransomware.
How could this have been prevented?
A few months before the attack, Think I.T. installed a new internet security service to all our managed clients. This service provides DNS filtering, meaning it checks all website requests against a database of known sites to avoid. Some sites are automatically blocked however others will send an alert, as in this case, due to the nature of the type of site being visited and the possible repercussions. Without this solution, Think I.T. would not have detected the attack in its early stages.
Think I.T. has a sophisticated virus protection solution across all our managed sites. Traditional virus protection looks at the file and checks for specific known signatures, blocking the execution when it finds one. The new Endpoint Detection and Response (EDR) solution can still detect viruses via the same method however, EDRs take protection to a new level. With Think I.T.’s EDR solution, this incident would not have taken place as the installation of the gaming software would have been blocked automatically by the Application Control feature.
Some of the features of the new EDR solution are:
- 24×7 monitoring by a Security Operation Centre (SOC) – low/medium alerts worked on 8×5 with high alerts for Servers worked on 24×7 and Workstations 24×7 at the client’s request.
- Learns the behaviour of the user and can identify when the user behaviour changes.
- Lock a computer to the currently installed applications so no new, or unapproved, applications can be installed (this helps prevent viruses being installed).
- Ability to lock USB ports to only allow pre-approved and registered devices.
- Detects and prevents lateral movement across a network.
- Automated AI mitigation when malicious activity is detected.
- Prevents Zero-Day attacks.
- Identify and prevent malware execution.
Get in touch with us to find out more about our EDR solution and how we can help secure your business.
