{"id":716,"date":"2018-12-31T17:42:00","date_gmt":"2018-12-31T15:42:00","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=716"},"modified":"2026-06-08T22:33:13","modified_gmt":"2026-06-08T22:33:13","slug":"compromise-mining-detection-response","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/compromise-mining-detection-response\/","title":{"rendered":"Compromise and Mining \u2014 Detection &amp; Response"},"content":{"rendered":"<p style=\"text-align: justify\"><span><\/span>Among the many types of attacks that organizations must contend with, we consider particularly underestimated those in which threat actors deploy software for <strong>cryptocurrency mining<\/strong> on <strong>compromised servers<\/strong>. This has been a recurring concern affecting organizations of all sizes in recent years.<\/p>\n<p style=\"text-align: justify\"><span><\/span>Exposure of a server or service on public networks should always be preceded by careful evaluation and testing activities. Exposed systems are immediately subjected to an enormous volume of attacks and probes.<\/p>\n<figure id=\"attachment_717\" aria-describedby=\"caption-attachment-717\" style=\"width: 740px\" class=\"wp-caption alignnone\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2018\/12\/statistics-1024x583.png\" alt=\"Attack statistics\" width=\"750\" height=\"427\" class=\"wp-image-717 size-large zoooom\" loading=\"lazy\" \/><figcaption id=\"caption-attachment-717\" class=\"wp-caption-text\"><span><\/span>Honeypot Attack statistics<\/figcaption><\/figure>\n<p style=\"text-align: justify\"><span><\/span>Within this volume of attacks, a significant portion involves threat actors attempting to compromise systems by exploiting application or system vulnerabilities with the objective of conducting <strong>mining operations and thus leveraging the computational and energy resources of victim systems.<\/strong><\/p>\n<p style=\"text-align: justify\"><strong>Security incidents<\/strong> of this nature, often dismissed as &#8220;<strong>low risk<\/strong>&#8220;, are erroneously underestimated. <strong>The modus operandi that enabled the attack to succeed should be considered an alarming indicator of inadequate defensive capabilities and evidence that antivirus software alone does not constitute sufficient protection.<\/strong><\/p>\n<p style=\"text-align: justify\">Additional factors that should compel organizations toward more decisive and informed intervention include:<\/p>\n<ol style=\"text-align: justify\">\n<li><span style=\"font-size: 14pt\"><strong>Presence of known system vulnerabilities<\/strong><\/span><\/li>\n<li><span style=\"font-size: 18.6667px\"><strong><span><\/span>Ability to execute code on the compromised system<\/strong><span><\/span> (RCE \u2014 T1190)<\/span><\/li>\n<li><strong><span style=\"font-size: 14pt\"><span><\/span>Protection mechanisms bypassed <\/span><\/strong><span style=\"font-size: 14pt\"><span><\/span>(or absent)<\/span><\/li>\n<li><span style=\"font-size: 14pt\"><strong>Attack undetected or unidentified <\/strong><span><\/span>(a frequent occurrence)<\/span><\/li>\n<\/ol>\n<p style=\"text-align: justify\"><span><\/span>Examining the attack through this lens reveals the necessity for a <strong>more informed approach<\/strong> to this class of threats.<\/p>\n<h1><span><\/span>Defensive Awareness<\/h1>\n<p style=\"text-align: justify\"><span><\/span>Ensuring protection can prove complex. The primary challenges that <strong>Security Operation Centers (SOCs)<\/strong> must address are multifaceted:<\/p>\n<ol>\n<li><span style=\"font-size: 14pt\"><strong><span><\/span>Alert Volume Management<\/strong><br \/>\n<span style=\"font-size: 12pt\"><span><\/span>Enormous quantities of network alerts from defensive systems that must be processed rapidly<\/span><\/span><\/li>\n<li><strong style=\"font-size: 14pt\"><span><\/span>Poor Information Quality<br \/>\n<\/strong><span style=\"font-size: 12pt\">Limited and insufficient information to establish what occurred. Constraints are typically temporal and qualitative in nature.<\/span><\/li>\n<li><strong><span style=\"font-size: 14pt\"><span><\/span>Impracticality of In-Depth Analysis<br \/>\n<\/span><\/strong><span style=\"font-size: 12pt\"><span><\/span>Information and tools inadequate and ineffective for attack reconstruction. <\/span><\/li>\n<\/ol>\n<p style=\"text-align: justify\"><span><\/span>Faced with these objective difficulties, one must pose the question:<\/p>\n<blockquote><p> <span style=\"font-size: 18pt;text-align: justify\">How does one defend against attacks that circumvent protection systems?<\/span><\/p><\/blockquote>\n<p style=\"text-align: justify\">We address this class of challenges through innovative and highly specialized activities. Among these, the identification of <strong>post-compromise activity<\/strong> (T1059 \u2014 Command and Scripting Interpreter) and <strong>Remote Code Execution (RCE)<\/strong> (T1190). <strong>If the vulnerability is zero-day or the attacker has bypassed defensive systems, the defender must identify the intrusion in subsequent phases.<\/strong> Our <a href=\"https:\/\/fortgale.com\/en\/managed-detection-and-response\/\">Managed Detection and Response<\/a> capabilities focus precisely on detecting these post-exploitation indicators that traditional perimeter defenses miss.<br \/>\n<span><\/span><\/p>\n<h1><span><\/span>Limitations and Opportunities<\/h1>\n<p style=\"text-align: justify\"><span><\/span>Securing an information system is a continuous challenge, an ongoing process. The relentless development of <strong>offensive tools and tactics<\/strong> demands an equivalent (if not superior) effort in the <strong>development of defensive solutions and services.<\/strong><\/p>\n<p style=\"text-align: justify\">Monitoring and protection systems based on network traffic analysis are fundamental, but cannot be treated as passive and autonomous tools.<\/p>\n<p style=\"text-align: justify\">This initial protective barrier must be supported by solutions for the identification of <strong>RCE<\/strong> (T1505.003 \u2014 Web Shell, T1059 \u2014 Command Execution). It must be recalled that code execution occurs within the same context as the compromised process, maintaining identical privilege levels.<\/p>\n<p><a href=\"https:\/\/fortgale.com\/#contact\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2018\/12\/ManagedD.png\" alt=\"Managed Defence\" width=\"1200\" height=\"430\" class=\"alignnone wp-image-728 size-full\" loading=\"lazy\" \/><\/a><\/p>\n<p style=\"text-align: justify\">The convergence of network-based detection with endpoint-level behavioral analysis and threat hunting capabilities represents the operational foundation necessary to identify and respond to intrusions that exploit unknown vulnerabilities or sophisticated evasion techniques. Organizations that treat post-compromise detection as a secondary concern rather than a core defensive pillar remain exposed to extended dwell times and lateral movement by threat actors.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cryptomining as a post-compromise objective: indicators on Linux and Windows endpoints, persistence techniques, network signals and containment workflow.<\/p>\n","protected":false},"author":1,"featured_media":735,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[3165,89,3128,117,435,177,3167,215,229,3166,276,3168],"class_list":["post-716","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-cryptomining","tag-cve","tag-detection-engineering","tag-difesa-gestita","tag-fortgale-report","tag-incident-response","tag-linux-compromise","tag-managed-defence","tag-mining","tag-persistence","tag-protezione","tag-t1496"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/716","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=716"}],"version-history":[{"count":2,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/716\/revisions"}],"predecessor-version":[{"id":9857,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/716\/revisions\/9857"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=716"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=716"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=716"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}