Among the many types of attacks that organizations must contend with, we consider particularly underestimated those in which threat actors deploy software for cryptocurrency mining on compromised servers. This has been a recurring concern affecting organizations of all sizes in recent years.

Exposure of a server or service on public networks should always be preceded by careful evaluation and testing activities. Exposed systems are immediately subjected to an enormous volume of attacks and probes.

Within this volume of attacks, a significant portion involves threat actors attempting to compromise systems by exploiting application or system vulnerabilities with the objective of conducting mining operations and thus leveraging the computational and energy resources of victim systems.

Security incidents of this nature, often dismissed as “low risk“, are erroneously underestimated. The modus operandi that enabled the attack to succeed should be considered an alarming indicator of inadequate defensive capabilities and evidence that antivirus software alone does not constitute sufficient protection.

Additional factors that should compel organizations toward more decisive and informed intervention include:

1. Presence of known system vulnerabilities
2. Ability to execute code on the compromised system (RCE — T1190)
3. Protection mechanisms bypassed (or absent)
4. Attack undetected or unidentified (a frequent occurrence)

Examining the attack through this lens reveals the necessity for a more informed approach to this class of threats.

Defensive Awareness

Ensuring protection can prove complex. The primary challenges that Security Operation Centers (SOCs) must address are multifaceted:

1. Alert Volume Management
   Enormous quantities of network alerts from defensive systems that must be processed rapidly
2. Poor Information Quality
   Limited and insufficient information to establish what occurred. Constraints are typically temporal and qualitative in nature.
3. Impracticality of In-Depth Analysis
   Information and tools inadequate and ineffective for attack reconstruction.

Faced with these objective difficulties, one must pose the question:

How does one defend against attacks that circumvent protection systems?

We address this class of challenges through innovative and highly specialized activities. Among these, the identification of post-compromise activity (T1059 — Command and Scripting Interpreter) and Remote Code Execution (RCE) (T1190). If the vulnerability is zero-day or the attacker has bypassed defensive systems, the defender must identify the intrusion in subsequent phases. Our Managed Detection and Response capabilities focus precisely on detecting these post-exploitation indicators that traditional perimeter defenses miss.

Limitations and Opportunities

Securing an information system is a continuous challenge, an ongoing process. The relentless development of offensive tools and tactics demands an equivalent (if not superior) effort in the development of defensive solutions and services.

Monitoring and protection systems based on network traffic analysis are fundamental, but cannot be treated as passive and autonomous tools.

This initial protective barrier must be supported by solutions for the identification of RCE (T1505.003 — Web Shell, T1059 — Command Execution). It must be recalled that code execution occurs within the same context as the compromised process, maintaining identical privilege levels.

The convergence of network-based detection with endpoint-level behavioral analysis and threat hunting capabilities represents the operational foundation necessary to identify and respond to intrusions that exploit unknown vulnerabilities or sophisticated evasion techniques. Organizations that treat post-compromise detection as a secondary concern rather than a core defensive pillar remain exposed to extended dwell times and lateral movement by threat actors.