{"id":1450,"date":"2019-04-08T00:00:00","date_gmt":"2019-04-08T07:00:00","guid":{"rendered":"https:\/\/azure.microsoft.com\/blog\/azure-security-center-exposes-crypto-miner-campaign"},"modified":"2025-06-19T22:38:06","modified_gmt":"2025-06-20T05:38:06","slug":"azure-security-center-exposes-crypto-miner-campaign","status":"publish","type":"post","link":"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-security-center-exposes-crypto-miner-campaign\/","title":{"rendered":"Azure Security Center exposes crypto miner campaign"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Azure Security Center discovered a new cryptocurrency mining operation on Azure customer resources.<br>This operation takes advantage of an old version of known open source CMS, with a known RCE vulnerability (<a href=\"https:\/\/www.drupal.org\/sa-core-2018-002\">CVE-2018-7600<\/a>) as the entry point, and then after using the CRON utility for persistency, it mines \u201cMonero\u201d cryptocurrency using a new compiled binary of the \u201cXMRig\u201d open-source crypto mining tool.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Azure Security Center (ASC) spotted the attack in real-time, and alerted the affected customer with the following alerts:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><b>Suspicious file download<\/b> \u2013 Possible malicious file download using wget detected<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><b>Suspicious <\/b><b>CRON job<\/b> \u2013 Possible suspicious scheduling tasks access detected<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><b>Suspicious activity<\/b> \u2013 ASC detected periodic file downloads and execution from the suspicious source<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><b>Process <\/b><b>executed from suspicious location<\/b><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image has-custom-border\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/04\/5afbfed9-2c52-4b28-a52a-0d246c6d73fb.webp\" alt=\"Azure Security Center alert on a file downloaded and executed.\" style=\"border-radius:0px\" title=\"Azure Security Center alert on a file downloaded and executed.\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"the-entry-point\">The entry point<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Following the traces the attacker left behind, we were able to track the entry point of this malware and conclude it was originated by leveraging a remote code execution vulnerability of a known open source CMS &#8211; <a href=\"https:\/\/www.drupal.org\/sa-core-2018-002\">CVE-2018-7600<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This vulnerability is exposed in an older version of this CMS and is estimated to impact a large number of websites that are using out of date versions. The cause of this vulnerability is insufficient input validation within an API call.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The first suspicious command line we noticed on the effected Linux machines was:<\/p>\n\n\n\n<figure class=\"wp-block-image has-custom-border\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/04\/2203604c-5004-4dea-bfc8-33d099913b2d.webp\" alt=\"Base64 encoded bash command line (details censored).\" style=\"border-radius:0px\" title=\"Base64 encoded bash command line (details censored).\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Decoding the base64 part of the command line reveals a logic of download and execution of a bash script file periodically, using the CRON utility:<\/p>\n\n\n\n<figure class=\"wp-block-image has-custom-border\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/04\/e88aaa2c-3440-455f-877e-ddc1533bcb43.webp\" alt=\"Base64 decoded bash command line (details censored) \u00e2\u20ac\u201c wget | sh.\" style=\"border-radius:0px\" title=\"Base64 decoded bash command line (details censored) \u00e2\u20ac\u201c wget | sh.\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The URL path also includes reference to the CMS name &#8211; another indication for the entry point (and for a sloppy attacker as well).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We also learned, from the telemetries collected from the harmed machines, that this first command line executes within \u201capache\u201d user context, and within the relative CMS working directory.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We did an examination on the affected resources and discovered that all of them were running with an unpatched version of the relative CMS, which is exposed to a highly critical security risk that allows an attacker to run malicious code on the exposed resource.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"malware-analysis\">Malware analysis<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The malware uses the CRON utility (Unix job scheduler) for persistency by adding the following line to the CRON table file:<\/p>\n\n\n\n<figure class=\"wp-block-image has-custom-border\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/04\/f267be76-eb27-4c79-a7ba-f1292414a9d5.webp\" alt=\"Cron command running wget | sh.\" style=\"border-radius:0px\" title=\"Cron command running wget | sh.\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">This results with the download and execution of a bash script file at every minute and allows the attacker to command and control using bash scripts.<\/p>\n\n\n\n<figure class=\"wp-block-image has-custom-border\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/04\/bcc9dfd1-37aa-4515-96fa-5b201733ed07.webp\" alt=\"The malicious bash script file (details censored).\" style=\"border-radius:0px\" title=\"The malicious bash script file (details censored).\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The bash file (as we captured it in this time) downloads the binary file and executes it (As seen in the image above).<br>The binary check if the machine is already compromised, and downloads using the HTTP 1.1 POST method, or another binary file depending on the number of processors the machine has.<\/p>\n\n\n\n<figure class=\"wp-block-image has-custom-border\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/04\/6cf2b27e-3dff-4ec7-8bfa-50652a5186e8.webp\" alt=\"Malicious network traffic sniff.\" style=\"border-radius:0px\" title=\"Malicious network traffic sniff.\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">On first sight, the second binary seems to be more difficult to investigate since it\u2019s clearly obfuscated. Luckily, the attacker chose to use UPX packer which focuses on compression and not on obfuscation.<\/p>\n\n\n\n<figure class=\"wp-block-image has-custom-border\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/04\/51f168f6-4704-43a9-9aaa-c6d0c3e2ef7a.webp\" alt=\"Malicioud binary packed with UPX packer.\" style=\"border-radius:0px\" title=\"Malicioud binary packed with UPX packer.\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">After de-packing the binary, we found a compilation of the open-source cryptocurrency miner \u201cXMRig\u201d in version 2.6.3. The miner compiles with the configuration inside it, and pulls the mining jobs from the mining proxy server, therefore we were unable to estimate the number of clients and earnings of the attacker.<\/p>\n\n\n\n<figure class=\"wp-block-image has-custom-border\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/04\/cf134cb7-4565-4e04-ba77-f40967b42dce.webp\" alt=\"XMRig assembly code.\" style=\"border-radius:0px\" title=\"XMRig assembly code.\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"the-big-picture\">The big picture<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">By analyzing the behavior of several crypto miners, we have noticed 2 strong indicators for crypto miner driven attacks:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><b>1. Killing competitors<\/b> \u2013 Many crypto-attacks assume that the machine is already compromised, and try to kill other computing power competitors. It does this by observing the process list, focusing on:<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Process name &#8211; From popular open source miners to less known mining campaigns<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Command line arguments such as known pool domains, crypto hash algorithms, mining protocol, etc.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">CPU usage consumption<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Another common method we identified is to reset the CRON tab \u2013 which in many cases is in use as a persistence method for other compute power competitors.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><b>2. Mining pools \u00ad<\/b>&#8211; Crypto mining jobs are being managed by the mining pool, which is responsible for gathering multiple clients to contribute and share the revenue across the clients. Most of the attackers use public mining pools which are simple to deploy and use, but once the attacker is exposed, his account might be blocked. Lately we noticed an increasing number of cases where attackers used their own proxy mining server. This technique helps the attacker stay anonymous, both from detection by a security product within the host (such as Azure Security Center Threat detection for Linux) and from detection by the public mining pool.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"conclusion-and-prevention\">Conclusion and prevention<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Preventing this attack is as easy as installing the latest security updates. A preferred option might be using SaaS (Software as a service) instead of maintaining a full web server and software environment.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Crypto-miner activity is easy to detect most of the time since it consumes significant resources.<br>Using a cloud security solution such as <a href=\"https:\/\/azure.microsoft.com\/en-us\/services\/security-center\/\">Azure Security Center<\/a>, will continuously monitor the security of your machines, networks, and Azure services and will alert you when unusual activity is detected.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Azure Security Center discovered a new cryptocurrency mining operation on Azure customer resources.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ms_queue_id":[],"ep_exclude_from_search":false,"_classifai_error":"","_classifai_text_to_speech_error":"","_alt_title":"","footnotes":"","msx_community_cta_settings":[]},"categories":[1459],"tags":[],"audience":[3053,3056],"content-type":[1481],"product":[1798],"tech-community":[],"topic":[],"coauthors":[97],"class_list":["post-1450","post","type-post","status-publish","format-standard","hentry","category-security","audience-it-decision-makers","audience-it-implementors","content-type-thought-leadership","product-azure-security-center","review-flag-1-1680286581-825","review-flag-2-1680286581-601","review-flag-3-1680286581-173","review-flag-6-1680286581-909","review-flag-new-1680286579-546"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.2 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Azure Security Center exposes crypto miner campaign | Microsoft Azure Blog<\/title>\n<meta name=\"description\" content=\"Azure Security Center discovered a new cryptocurrency mining operation on Azure customer resources.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-security-center-exposes-crypto-miner-campaign\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Azure Security Center exposes crypto miner campaign | Microsoft Azure Blog\" \/>\n<meta property=\"og:description\" content=\"Azure Security Center discovered a new cryptocurrency mining operation on Azure customer resources.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-security-center-exposes-crypto-miner-campaign\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Azure Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/microsoftazure\" \/>\n<meta property=\"article:published_time\" content=\"2019-04-08T07:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-20T05:38:06+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/04\/5afbfed9-2c52-4b28-a52a-0d246c6d73fb.webp\" \/>\n<meta name=\"author\" content=\"Microsoft Azure\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@azure\" \/>\n<meta name=\"twitter:site\" content=\"@azure\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Azure\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-security-center-exposes-crypto-miner-campaign\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-security-center-exposes-crypto-miner-campaign\/\"},\"author\":[{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/author\/microsoft-azure\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Azure\"}],\"headline\":\"Azure Security Center exposes crypto miner campaign\",\"datePublished\":\"2019-04-08T07:00:00+00:00\",\"dateModified\":\"2025-06-20T05:38:06+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-security-center-exposes-crypto-miner-campaign\/\"},\"wordCount\":820,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-security-center-exposes-crypto-miner-campaign\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/04\/5afbfed9-2c52-4b28-a52a-0d246c6d73fb.webp\",\"articleSection\":[\"Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-security-center-exposes-crypto-miner-campaign\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-security-center-exposes-crypto-miner-campaign\/\",\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-security-center-exposes-crypto-miner-campaign\/\",\"name\":\"Azure Security Center exposes crypto miner campaign | Microsoft Azure Blog\",\"isPartOf\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-security-center-exposes-crypto-miner-campaign\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-security-center-exposes-crypto-miner-campaign\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/04\/5afbfed9-2c52-4b28-a52a-0d246c6d73fb.webp\",\"datePublished\":\"2019-04-08T07:00:00+00:00\",\"dateModified\":\"2025-06-20T05:38:06+00:00\",\"description\":\"Azure Security Center discovered a new cryptocurrency mining operation on Azure customer resources.\",\"breadcrumb\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-security-center-exposes-crypto-miner-campaign\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-security-center-exposes-crypto-miner-campaign\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-security-center-exposes-crypto-miner-campaign\/#primaryimage\",\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/04\/5afbfed9-2c52-4b28-a52a-0d246c6d73fb.webp\",\"contentUrl\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/04\/5afbfed9-2c52-4b28-a52a-0d246c6d73fb.webp\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-security-center-exposes-crypto-miner-campaign\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog home\",\"item\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Security\",\"item\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/category\/security\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Azure Security Center exposes crypto miner campaign\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#website\",\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/\",\"name\":\"Microsoft Azure Blog\",\"description\":\"Get the latest Azure news, updates, and announcements from the Azure blog. From product updates to hot topics, hear from the Azure experts.\",\"publisher\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization\",\"name\":\"Microsoft Azure Blog\",\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/06\/microsoft_logo.webp\",\"contentUrl\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/06\/microsoft_logo.webp\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Azure Blog\"},\"image\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/microsoftazure\",\"https:\/\/x.com\/azure\",\"https:\/\/www.instagram.com\/microsoftdeveloper\/\",\"https:\/\/www.linkedin.com\/company\/16188386\",\"https:\/\/www.youtube.com\/user\/windowsazure\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/person\/c702e5edd662b328b49b7e1180cab117\",\"name\":\"shakir\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g7664e653ea371ce16eaf75e9fa8952c4\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g\",\"caption\":\"shakir\"},\"sameAs\":[\"https:\/\/azure.microsoft.com\"],\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/author\/shakir\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Azure Security Center exposes crypto miner campaign | Microsoft Azure Blog","description":"Azure Security Center discovered a new cryptocurrency mining operation on Azure customer resources.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-security-center-exposes-crypto-miner-campaign\/","og_locale":"en_US","og_type":"article","og_title":"Azure Security Center exposes crypto miner campaign | Microsoft Azure Blog","og_description":"Azure Security Center discovered a new cryptocurrency mining operation on Azure customer resources.","og_url":"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-security-center-exposes-crypto-miner-campaign\/","og_site_name":"Microsoft Azure Blog","article_publisher":"https:\/\/www.facebook.com\/microsoftazure","article_published_time":"2019-04-08T07:00:00+00:00","article_modified_time":"2025-06-20T05:38:06+00:00","og_image":[{"url":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/04\/5afbfed9-2c52-4b28-a52a-0d246c6d73fb.webp","type":"","width":"","height":""}],"author":"Microsoft Azure","twitter_card":"summary_large_image","twitter_creator":"@azure","twitter_site":"@azure","twitter_misc":{"Written by":"Microsoft Azure","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-security-center-exposes-crypto-miner-campaign\/#article","isPartOf":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-security-center-exposes-crypto-miner-campaign\/"},"author":[{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/author\/microsoft-azure\/","@type":"Person","@name":"Microsoft Azure"}],"headline":"Azure Security Center exposes crypto miner campaign","datePublished":"2019-04-08T07:00:00+00:00","dateModified":"2025-06-20T05:38:06+00:00","mainEntityOfPage":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-security-center-exposes-crypto-miner-campaign\/"},"wordCount":820,"commentCount":0,"publisher":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization"},"image":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-security-center-exposes-crypto-miner-campaign\/#primaryimage"},"thumbnailUrl":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/04\/5afbfed9-2c52-4b28-a52a-0d246c6d73fb.webp","articleSection":["Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/azure.microsoft.com\/en-us\/blog\/azure-security-center-exposes-crypto-miner-campaign\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-security-center-exposes-crypto-miner-campaign\/","url":"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-security-center-exposes-crypto-miner-campaign\/","name":"Azure Security Center exposes crypto miner campaign | Microsoft Azure Blog","isPartOf":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-security-center-exposes-crypto-miner-campaign\/#primaryimage"},"image":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-security-center-exposes-crypto-miner-campaign\/#primaryimage"},"thumbnailUrl":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/04\/5afbfed9-2c52-4b28-a52a-0d246c6d73fb.webp","datePublished":"2019-04-08T07:00:00+00:00","dateModified":"2025-06-20T05:38:06+00:00","description":"Azure Security Center discovered a new cryptocurrency mining operation on Azure customer resources.","breadcrumb":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-security-center-exposes-crypto-miner-campaign\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/azure.microsoft.com\/en-us\/blog\/azure-security-center-exposes-crypto-miner-campaign\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-security-center-exposes-crypto-miner-campaign\/#primaryimage","url":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/04\/5afbfed9-2c52-4b28-a52a-0d246c6d73fb.webp","contentUrl":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/04\/5afbfed9-2c52-4b28-a52a-0d246c6d73fb.webp"},{"@type":"BreadcrumbList","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-security-center-exposes-crypto-miner-campaign\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog home","item":"https:\/\/azure.microsoft.com\/en-us\/blog\/"},{"@type":"ListItem","position":2,"name":"Security","item":"https:\/\/azure.microsoft.com\/en-us\/blog\/category\/security\/"},{"@type":"ListItem","position":3,"name":"Azure Security Center exposes crypto miner campaign"}]},{"@type":"WebSite","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#website","url":"https:\/\/azure.microsoft.com\/en-us\/blog\/","name":"Microsoft Azure Blog","description":"Get the latest Azure news, updates, and announcements from the Azure blog. From product updates to hot topics, hear from the Azure experts.","publisher":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/azure.microsoft.com\/en-us\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization","name":"Microsoft Azure Blog","url":"https:\/\/azure.microsoft.com\/en-us\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/06\/microsoft_logo.webp","contentUrl":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/06\/microsoft_logo.webp","width":512,"height":512,"caption":"Microsoft Azure Blog"},"image":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/microsoftazure","https:\/\/x.com\/azure","https:\/\/www.instagram.com\/microsoftdeveloper\/","https:\/\/www.linkedin.com\/company\/16188386","https:\/\/www.youtube.com\/user\/windowsazure"]},{"@type":"Person","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/person\/c702e5edd662b328b49b7e1180cab117","name":"shakir","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g7664e653ea371ce16eaf75e9fa8952c4","url":"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g","caption":"shakir"},"sameAs":["https:\/\/azure.microsoft.com"],"url":"https:\/\/azure.microsoft.com\/en-us\/blog\/author\/shakir\/"}]}},"msxcm_display_generated_audio":false,"msxcm_animated_featured_image":null,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Azure Blog","distributor_original_site_url":"https:\/\/azure.microsoft.com\/en-us\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/posts\/1450","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/comments?post=1450"}],"version-history":[{"count":1,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/posts\/1450\/revisions"}],"predecessor-version":[{"id":42603,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/posts\/1450\/revisions\/42603"}],"wp:attachment":[{"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/media?parent=1450"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/categories?post=1450"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/tags?post=1450"},{"taxonomy":"audience","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/audience?post=1450"},{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/content-type?post=1450"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/product?post=1450"},{"taxonomy":"tech-community","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/tech-community?post=1450"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/topic?post=1450"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/coauthors?post=1450"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}