From end-user machines to cloud services
Cryptojacking concept
getty
The time of the “Gold Rush” in the cryptocurrency niche has long passed. Currently, cryptojacking, which involves the use of malicious software for cryptocurrency mining, is only economically viable on a significant scale. Cybercrime groups have responded to this problem in the right way. In an attempt to expand their activities and increase their profits, miscreants began to target cloud services.
Cryptojacking trends
Mining cryptocurrency is much less profitable than stealing confidential information and spreading ransomware. In recent times, the main goal of cybercriminals has changed from infecting end-user machines to targeting cloud services.
Malicious actors prefer Monero (XMR), which offers the highest CPU mining return among cryptocurrencies. The choice is also explained by the fact that most cloud services do not provide access to a conventional computer’s graphics processing unit (GPU) and resources. The central processing unit (CPU) becomes the only mining tool.
The lack of adequate protection on vulnerable cloud servers and the fact that the criminal groups that attack them use almost the same set of exploits leads to fierce competition between them. Information security specialists compare this competition for resources to Capture the Flag cyber tournaments. Representatives of the Outlaw gang install a script on compromised systems to eliminate other rival hacker groups’ miners. Often the same hacker groups act as both attackers and defenders.
Risk of cryptojacking
One might assume that the infiltration of a malicious miner into a cloud system does not pose a significant threat, as it does not immediately result in data breaches or infrastructure compromise. However, cryptojacking can cause service disruptions and customer dissatisfaction, ultimately affecting profitability. After all, if the system is vulnerable, there is nothing to prevent hackers from exploiting it to perform more destructive attacks beyond unauthorized mining.
Security experts conducted an experiment where they installed XMRig, a Monero mining program, on a test cloud server that was simultaneously performing other tasks. They observed a processor load increase from 12% to 100%. They also noticed an increase in network traffic volume. In terms of cost, this translates into a server rental price increase from $20 to $150 per month.
Often, malicious actors offer access to compromised cloud servers for sale and temporarily load the miner while they wait for buyers. Therefore, the discovery of such a Trojan is a very bad sign. In most cases, this is the last chance to address security issues before attackers use a compromised server for other nefarious purposes. Hackers have also been noted for installing rootkits on hacked systems designed to hide the work of miners.
After breaking into a server, hackers try to steal sensitive data to take over new services on the network – databases, websites, cloud apps, etc. Sometimes bad guys block the accounts of legitimate users. In addition, hacked cloud systems are increasingly being used for DDoS attacks.
Hacking technologies used
In recent years, migrating infrastructure to the cloud has become a distinct trend, enabling businesses to save significant amounts on equipment and maintenance costs. Nevertheless, the deployment of cloud services requires configuration and administration costs that some companies aim to reduce.
A significant number of system administrators are familiar with tools to protect local infrastructure, such as firewalls or antivirus, but these specialists face a lack of knowledge and skills when it comes to cloud services. If monitoring and logging tools are not properly configured in the cloud, the administrator may not receive much useful data, making it challenging to identify an attack.
As the configuration of many cloud services is standardized, and the default settings are well-known (and documented), malicious actors do not need to invest excessive effort in reconnaissance and hacking, nor do they require sophisticated tools.
Numerous cloud hacking groups previously specialized in hacking IoT devices, Linux servers, and Windows devices. The tools they use have hardly changed. Cloud service protection technologies have also seen minor changes, and proven hacking tools have repeatedly demonstrated their effectiveness.
Cloud accounts can also be breached through phishing, which involves using fake emails or messages to trick users into divulging sensitive information. Over-sharing of personal information on popular social networks such as Facebook can make it easier for cybercriminals to collect information and launch targeted phishing campaigns. This can lead to loss of credentials, installation of malware, or even identity theft.
So using a compromised account to mine cryptocurrency is often not the worst case scenario.
How to stay safe
To prevent cryptojacking attacks, Lee Kohn, head of the security department at RSTAKING, recommends timely installation of all available software updates and ensuring that only necessary services run on the cloud server. Many vulnerabilities that malicious groups use are found in outdated software versions, and timely updates can eliminate these vulnerabilities.
However, even after installing all updates, attackers can exploit poorly configured services. APIs should not be publicly available, as this could enable attackers to manipulate services. Access should be restricted to administrators and authorized users. Furthermore, using default settings is a terrible idea.
It is strongly recommended to use firewalls in the cloud infrastructure, as well as intrusion detection and prevention systems (IDS/IPS). Another effective solution is to use products that can limit and filter network traffic. Blocking domains connected to known mining pools can also be beneficial, and lists of these domains can easily be found online.
Follow me on LinkedIn. check out my website.
