Azure Cryptomining

Azure Cryptomining

Detection overview

Triggers

  • Creation of powerful compute instances (virtual machines) for potential cryptomining activities.
  • High-powered VM instances are being created to enable compute-intensive operations for authorized business activities.

Possible Root Causes

  • Cryptomining Attack: An attacker is leveraging compromised credentials to create large-scale VMs to mine cryptocurrency within the Azure environment.
  • Legitimate Business Operations: The organization is creating high-powered VMs for valid use cases, such as AI model training, data processing, or large-scale simulations.

Business Impact

  • The creation of large and/or expensive VMs can significantly impact the organization's cloud budget, especially if left undetected.
  • Unauthorized VMs could lead to increased operational costs, resource exhaustion, and potential security risks.

Steps to Verify

  • Investigate the Identity: Check for other signs of malicious activity linked to the user or service principal that created the VMs.
  • Validate VM Creation: Confirm whether the deployment of large and/or expensive VMs was intentional and aligns with business needs.
  • If Malicious Activity Is Suspected:
    • Shut down or delete unauthorized VMs to prevent further resource consumption.
    • Revoke credentials associated with the suspicious activity.
    • Review access logs and permissions to identify potential privilege escalation or further compromises.
    • Monitor cloud billing and usage alerts to detect unusual spikes in resource consumption.
Azure Cryptomining

Possible root causes

Malicious Detection

Benign Detection

Azure Cryptomining

Example scenarios

Azure Cryptomining

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure Cryptomining

Steps to investigate

Azure Cryptomining

MITRE ATT&CK techniques covered

Azure Cryptomining

Related detections

No items found.

FAQs