Skip to content

Event: crypto_miner_files

Quick Explanation

This Jibril detection recipe targets suspicious files related to cryptocurrency mining. It highlights newly introduced miner related files, libraries, and scripts within the CI/CD pipeline. By flagging these occurrences, the goal is to prevent malicious exploitation of resources, unauthorized access, or embedding of miner code in production artifacts.

More Information

Information

  1. Description: Crypto miner execution (revised list)
  2. Category: Resource Development
  3. Method: Establish Account
  4. Importance: Critical

Analysis of the Event

The crypto_miner_files event covers a wide range of filenames, library files, and scripts commonly associated with crypto mining operations. Jibril’s tracing mechanism, powered by eBPF, looks for file access actions, then checks these files against a curated miner-related list.

In legitimate scenarios, some of these tools could appear in testing or research. However, their presence within a CI pipeline is highly unusual and may suggest unauthorized activities. Attackers often embed miners into container images or inject them via scripts to hijack computing resources. If successful, they could remain undetected for extended periods, leveraging the pipeline’s infrastructure to mine cryptocurrency.

This also opens the door to broader exploitation strategies, such as creating new accounts or pivoting to more critical systems, all while hiding behind seemingly legitimate CI processes.

Compromised builds can also threaten downstream environments if the malicious artifacts are deployed to staging or production. This risk extends to potential data leaks, financial fraud, and further infiltration of corporate networks.

Implications for the CI/CD Pipeline

Undetected cryptominer binaries in a CI/CD environment can:

  • Drain Resources:
    Miners consume significant CPU/GPU cycles, slowing builds and increasing operational costs.
  • Threaten Build Integrity:
    Malicious scripts or code injected into build artifacts can propagate to production, impacting reliability and trust.
  • Enable Persistence:
    Attackers may establish hidden accounts or backdoor services, persisting across future builds and deployments.
  • Exfiltrate Sensitive Data:
    While running with elevated privileges, miners or scripts might collect credentials, tokens, or other critical information, exposing the broader infrastructure.

Should these components become part of the merged codebase, production systems may be compromised, resulting in costly downtime, data breaches, or reputational harm.

  1. Inspect & Validate Recent Commits

    • Scrutinize pull requests and associated commit history for references to any flagged miner binaries or suspicious scripts.
    • Confirm that all additions are intentional and align with legitimate business needs.

  2. Quarantine and Remove Malicious Binaries

    • If analysis confirms malicious mining tools, remove them promptly.
    • Blocklist known miner file names and associated command-line flags in your CI/CD pipeline.

  3. Strengthen Dependency & Artifact Controls

    • Implement stricter scanning of dependencies, Docker images, and artifact repositories to catch miner code before it reaches the CI environment.
    • Periodically verify the integrity of built artifacts using checksums or signatures.

  4. Augment File & Process Monitoring

    • Configure Jibril (and any complementary security tools) to monitor file creation, process spawns, and command-line parameters more rigorously.
    • Align with best practices (e.g., implementing eBPF-based detectors) for higher visibility into ephemeral container activities.

  5. Implement Resource Quotas and Access Controls

    • Enforce CPU/memory limits in container orchestrators (e.g., Kubernetes, Docker) to hinder cryptomining performance.
    • Restrict who can update pipeline configurations, ensuring only authorized personnel can modify CI/CD scripts or images.

  6. Document and Educate

    • Update internal security policies to address crypto mining threats.
    • Provide developers and DevOps teams with guidance on recognizing unauthorized mining software, ensuring swift reporting and remediation.

By following these steps, you can maintain a secure CI/CD environment, minimize the likelihood of resource hijacking, and protect downstream systems from potential malicious injection or compromise.