[lasdfas]

I agree. I would like to seem more details of how they determined it was only crypto mining. Finding only mining scripts in your logs doesn't mean they were not running other code once they had root.

[sterlind]

It seems bizarre to me that a crypto miner got in. It wouldn't make much money on regular CPUs, and the high processor usage would immediately draw attention. So it looks like a low-effort botnet, which is embarrassing to get pwned by.

(The coin mining could be a cover like you mention, but it seems unlikely since it naturally draws attention.)

[vertex-four]

It’s easier to sell Monero for cash than... some random data from some random company.

[itsajoke]

I once worked at a place where a minor piece of cloud infra got exploited. All the attacker did was run a monero miner on it.

[sterlind]

Heh, in a way it makes a good bug bounty. Like if popping calc got you a trickle of income.

[optimiz3]

> It wouldn't make much money on regular CPUs

Not true; some PoWs such as Random-X are designed to be most efficient CPUs.

[nemo136]

running the virus code in a container / vm and checking what gets modified