Unlocking Real-World Security: Defending against Crypto mining attacks

Cross-domain attacks remain a critical challenge for most security teams. As attackers use a combination of threat vectors to gain a foothold in an organization, visibility across critical assets becomes vital. With advanced attacks like cryptojacking and IaaS resource theft becoming increasingly prominent, it’s clear that attacks are crossing boundaries into cloud and hybrid workloads. The importance of natively integrating your XDR and cloud security insights becomes crucial when defending against these attacks. 

 

Since we integrated cloud workload alerts, signals and asset information from our industry-leading CNAPP solution, Microsoft Defender for Cloud, into Microsoft Defender XDR, we've seen its transformative impact in real-world scenarios. This integration enhances our ability to detect, investigate, and respond to sophisticated threats across hybrid and multi-cloud environments. To illustrate this, let’s explore a real scenario that showcases the power of this integration.  

  

Case Study: Defeating a Crypto mining Attack from Phishing to Cloud Exploitation 

In this attack, we explore a crypto mining attack that happened last July. It begins with a phishing email, escalates through privilege abuse, and culminates in cloud resource exploitation. This scenario demonstrates how Defender for Cloud works together with the other Microsoft Security solutions to enable a comprehensive and effective defense strategy. 

 

 

Step 1: Reconnaissance 

The attack begins with the threat actor conducting reconnaissance through account enumeration to identify valid users. This activity was detected by Sentinel. 

 

Step 2: Initial Access via Password Spray 

Following the reconnaissance, the attacker employs password spraying, attempting to guess passwords across multiple users within the organization. This results in a successful login from a suspicious browser in a new location. Entra Identity Protection and Defender for Cloud detect these actions, flagging the unauthorized access for immediate investigation. 

 

Step 3: Persistence 

The threat actor exploited valid credentials and used MFA fatigue to coerce the user into accepting the authentication request. After logging in, the threat actor registered a new device to establish persistence. These activities were detected by Sentinel analytics rules and Defender XDR. 

 

Step 4: Discovery and Privilege Escalation 

After gaining an initial foothold, the attacker conducted cloud discovery activities using Azure Resource Management and modified several cloud settings, including Virtual Machine quota limits.  Defender for Cloud and Defender XDR detected suspicious activities, such as abnormal use of administrative tools and irregular access patterns. These alerts correlate with the initial alerts from Sentinel, Entra Identity Protection, and Defender XDR highlighting the attack's progression. 

 

Step 5: Crypto Mining on Cloud Resources and Disruption

In this stage, the attacker deploys multiple machine learning clusters for crypto mining. Defender XDR and Defender for Cloud detect this unusual use of compute resources and trigger automatic attack disruption.

 

This XDR-level capability combines signals from cloud workloads, identities, SaaS apps, email, collaboration tools, and Sentinel to form a single, high-confidence incident. Defender XDR then responds by automatically containing the affected endpoints and disabling the compromised accounts, effectively halting the mining operation and preventing further lateral movement. In this specific case study, the attack disruption stopped the mining activity by disabling the user account. 

 

Step 6: Crypto Mining on Cloud Resources (Prevented) 

In similar incidents without attack disruption, the threat actor would have downloaded crypto miner tools and connected them to cryptocurrency mining pools. In some cases, the threat actor, with sufficient permission, could transfer the subscription to an attacker-controlled tenant. All these steps were prevented, and no crypto miner was run due to attack disruption, which disabled the compromised user and significantly limited the potential impact.  

 

Conclusion 

This case study showcases the tangible security value of integrating Defender for Cloud with Defender XDR. By the integration of cloud workloads strengthens the native breadth of signal in Defender XDR which further enables organizations to effectively defend against complex, multi-stage attacks that traverse the entire attack surface, including cloud infrastructure. The seamless correlation of alerts and robust automated response mechanisms ensure swift and effective threat mitigation. 

 

In summary, the Defender for Cloud integration into Defender XDR represents a pivotal advancement in cybersecurity. In a world where your critical assets live in the cloud, so do the attackers. Integrating cloud workload security signals is essential to capture the full attack story, enabling you to understand and stop sophisticated threats before they cause harm.  

 

Experience first hand how this powerful integration enhances your security and keeps your IT and cloud environments resilient against evolving threats.