Threat Detection Rules, Or How to Stop Your Redis Server from Mining Bitcoin for North Korea
Scanner makes data lakes fast and easy to use. Schemaless log search indexing, all in the user’s S3 buckets.
The amount of cryptocurrency stolen or mined via server hijacking annually is pretty staggering. It's estimated that almost 1/20th of North Korea's economy each year is the illegal acquisition of cryptocurrency, which is accomplished either by extracting crypto wallet private keys or running crypto miner malware on vulnerable servers.
To help teams stay safe from threats like this, we're excited to announce the release of Scanner's new detection rules, which can alert you whenever there are misconfigurations, indicators of compromise, and various kinds of threat activity.
In this post, we'll walk through how to use Scanner's new detection rules feature to protect infrastructure from a cryptojacking malware threat called Migo, which has mostly infected Redis servers in East Asia but is spreading globally.
But before we get started, let's take a look at what makes Scanner's detection rules unique.
How Scanner's detection rules are different
S3 optimization means lower cost, unlocking entirely new log sources
Scanner's detection rules run continuously on new logs you add to S3, and they can send alerts to destinations like Slack, SOAR tools, or any service with a webhook interface.
Since Scanner is highly optimized for low cost S3 storage, running detections on high-volume log sources is finally economically feasible. Ingestion costs are 80-90% less than other SIEMs, so you can actually run detections on high-volume log sources like cloud audit logs, DNS logs, WAF logs, and others. This removes blindspots and unlocks entirely new ways to protect your employees and infrastructure.
Statistical aggregations over time windows
Unlike other tools that can only look at log events one-by-one, Scanner's detection rules can build up statistical aggregations over a time range, allowing you to specify advanced triggering criteria and prevent false positives.
Chain detections together with Jupyter notebooks
In addition to alert destinations like Slack and webhooks, we are beta testing some new alert destinations like Jupyter notebooks, allowing teams chain queries together and pull in more context to investigate advanced threats. If you're interested in becoming a beta tester for new detection destinations like Jupyter notebooks, please sign up to chat with us here.
Let's switch gears now and take a look at how Scanner's detection rules can protect Redis server infrastructure from cryptojacking malware.
Walkthrough: How to use Scanner to protect your Redis servers from Migo, a cryptojacking malware threat
In this example, we'll walk through how to use Scanner to:
We'll assume that the Redis servers are running in AWS infrastructure. Let's also say that these servers are meant to be accessible only from other servers internal to the VPC, not from the external internet.
Detect a misconfiguration that might expose servers to the threat
The best case scenario is for the Redis servers to remain completely inaccessible to threat actors, preventing attacks altogether. Since it is fairly easy for innocuous infra-as-code tweaks to cause sweeping changes to infrastructure, it is valuable to put detection rules in place to ensure that your configuration remains safe.
Let's put a detection rule in place to check for VPC security group ingress rule changes that could expose servers to the internet.
In Scanner, we visit the Detections tab and click Create New Rule.
We can detect this dangerous cloud misconfiguration by scanning our cloud audit logs, specifically our AWS CloudTrail logs, to detect ingress rule changes that open our servers up to any IP address.
The Scanner query could look something like this:
Here is what the final detection rule could look like in Scanner:
Chain detection queries via a Jupyter notebook
This ingress rule is not always dangerous. For example, if your company is launching new application servers that need to be accessible from the internet to serve users, this ingress rule is the correct configuration for those servers. This rule is only dangerous in our particular use case if it exposes our Redis servers to the open internet.
How do we check for this and avoid false positives? We can chain this detection together with additional queries using a Jupyter notebook, which allows us to pull in the context we need to decide whether a configuration change is actually dangerous.
Note that the Jupyter notebook feature is still in beta, so the interface is likely to change dramatically in the short term. Please excuse our dust during construction!
To use the notebook, we can set the detection rule to trigger our Internet Exposure Notebook, which is a notebook we created in Scanner.
The Jupyter notebook consists of a few steps.
Notebook Step 1: Run a Scanner query to get details
Get the information about the triggered detection event. Then use that information to run a Scanner query on the correct time range to fetch the IDs of all security groups that have been exposed to the internet via ingress rule change.
Notebook Step 2: Assume an AWS role and look up all affected EC2 instances
Use an AWS role credential created in Scanner earlier to establish a temporary session using boto3, allowing you to query the AWS API using an IAM role in your AWS account. We run a DescribeInstances query to look for all EC2 instances associated with the exposed security groups.
Notebook Step 3: Look for exposed Redis servers
Filter EC2 instances down to those that have public IP addresses and have redis in their name. These Redis servers are now exposed to the internet!
Notebook Step 4: Sound the alarm
If there are exposed Redis servers, send a critical alert to the team's Slack event sink.
Alternatively, you could also use boto3 at this stage to revoke the ingress rules immediately.
By creating a simple detection rule and chaining it together with additional queries in a Jupyter notebook, you can quickly detect Redis server exposure to the internet and rapidly fix it.?
Look for indicators of compromise related to the malware
Even if you have strong controls in place to prevent your Redis servers from being exposed to the internet, it is still a good idea to put rules in place to detect indicators of compromise that demonstrate that the attack is already underway.
If you look at the Migo writeup from Cado Security, you'll see that they include indicators of compromise related to two types of entities: files and IP addresses. We'll focus on files for our detection.
Detect compromised files
Let's say that our Redis servers are running the Wazuh agent to monitor Linux processes and file integrity, and we've set up an agent like Vector or Filebeat to read the agent's OSSEC logs and write them to S3 where Scanner can index them.
We can take the SHA256 indicators of compromise from the Migo writeup and look for audit events where files with these hashes have been detected. Here is what the Scanner detection rule query might look like:
Enrich the alert with more context via Jupyter notebook
To help your team investigate rapidly, you can use a Jupyter notebook in Scanner to modify the raw OSSEC alert and add more context, like adding all recent OSSEC alerts occurring on the hosts during the triggered detection time range.
The notebook consists of three steps.
Notebook Step 1: Look up all compromised hosts
Run a Scanner query to get the hosts that have compromised files. We do this by running a query against all ossec:alerts data that contain the SHA256 indicators of compromise for Migo.
Notebook Step 2: Enrich context by fetching all recent audit events for these hosts
A detection alert has a start and end time, indicating the time range during which the rule's condition was triggered.?
To provide you with more context, we can retrieve all Linux audit events in the detection time range, allowing you to see what else happened on the host before and after the indicators of compromise were found.
Notebook Step 3: Send the enriched alert to a destination
Now that the alert has additional context, showing all Linux audit events happening around the same time as the indicators of compromise, we can send if off to a destination. In this case, we send it to our team's custom webhook, which could be connected to a SOAR, to Jira, or to a plethora of other tools.
Creating advanced detections is easier than ever
With other tools, you can typically only detect the first step in a sequence of threat activity.
With Scanner, once the first step in the sequence is detected, you can chain multiple detection steps together using Jupyter notebooks, allowing you to make detections far more advanced than before. It is easy to cross-correlate between multiple log sources, enrich data with more context using Scanner queries or AWS API requests, and send transformed alerts to the destination you need.
We're excited about Scanner's new detection feature, particularly the ability to do detection chaining with notebooks, and we're looking for teams interested in beta testing this. If you'd like to try it out and give feedback, please sign up to chat with us here.
Happy detecting and responding!
Visit to Learn More
How Not To Spend Half a Million Dollars on Logs
Data Engineering Podcast: Build A Data Lake For Your Security Logs With Scanner
Introducing New Statistical Aggregations: Average, Percentile, Variance, and More
How To Search Your Security Logs For Threat Indicators From The October 2023 Okta Breach