Cado Labs researchers recently discovered a novel cryptojacking campaign targeting insecure deployments of Redis

[ghost]

Prerequisites

• [X] I checked the documentation and found no answer;
• [X] I checked to make sure that this issue has not already been filed;
• [X] This is not an ad/bug report.

Problem description

There was a recent discovery into a new cryptojacking campaign by Cado Labs which identifies a range of new mining pools to add to the AdGuard Base filter cryptominers filter.

A custom XMRig configuration is written to disk, which registers the miner with the following mining pools:

xmr.pool.gntl.co.uk pool.hashvault.pro xmr-eu1.nanopool.org monerohash.com pool.supportxmr.com ca.monero.herominers.com xmrpool.eu pool.xmrfast.com pool.xmr.pt

Proposed solution

Block the above in the AdGuard Base cryptominers filter.

Additional information

https://www.cadosecurity.com/redis-miner-leverages-command-line-file-hosting-service/

[Alex-302]

Why mining pools must be blocked?

[ghost]

The article under additional information explains it.

In short, those are the mining pools used by the exploit which are written to a config after the vulnerable Redis distribution is prepared.

[Alex-302]

This is not a reason to block public pools. Those who have been infected are not likely using our DNS)