The era of the “gold rush” in the cryptocurrency niche is long gone. Currently, cryptojacking, which is the use of malware to mine cryptocurrency, is only financially viable on a significant scale. Cybercrime groups have responded to this issue appropriately. Trying to expand their business and increase their profits, criminals have started targeting cloud services.
Cryptocurrency mining is much less profitable than stealing confidential information and spreading ransomware. In recent times, the main focus of cybercriminals has shifted from infecting end-user machines to targeting cloud services.
Malicious actors prefer Monero (XMR), which offers the highest CPU mining yields among cryptocurrencies. The choice is also explained by the fact that most cloud services do not provide access to the graphics processing unit (GPU) and resources of a conventional computer. The central processing unit (CPU) becomes the only mining tool.
The lack of adequate protection on vulnerable cloud servers and the fact that the criminal groups attacking them use almost the same set of exploits leads to fierce competition between them. Information security experts liken this competition for resources to Capture the Flag cyber tournaments. Representatives of the Outlaw gang, install a script on compromised systems to weed out miners from other competing hacker groups. Often the same groups of hackers act as both attackers and defenders.
One would assume that the infiltration of a malicious miner into a cloud system does not present a significant threat, as it does not immediately lead to data breaches or compromised infrastructure. However, cryptojacking can lead to service interruptions and customer dissatisfaction, which ultimately impacts profitability. After all, if the system is vulnerable, nothing stops hackers from exploiting it to carry out more destructive attacks beyond unauthorized mining.
Security experts conducted an experiment in which they installed XMRig, a Monero mining program, on a test cloud server that was simultaneously performing other tasks. They observed an increase in CPU load from 12% to 100%. They also noticed an increase in the volume of network traffic. In terms of cost, this translates to an increase in the server rental price from $20 to $150 per month.
Often malicious actors offer access to compromised cloud servers for sale and temporarily download the miner while waiting for buyers. Therefore, the discovery of such a Trojan is a very bad sign. In most cases, this is the last chance to fix security issues before attackers use a compromised server with other sinister intentions. Additionally, hackers have been noticed for installing rootkits on hacked systems designed to hide the work of miners.
After successfully breaking into a server, hackers attempt to steal sensitive data in order to support new services on the network – databases, websites, cloud applications, etc. Sometimes scammers block legitimate user accounts. Additionally, hacked cloud systems are increasingly being used for DDoS attacks.
Hacking technologies used
In recent years, the migration of infrastructure to the cloud has become an apparent trend, allowing companies to save substantial sums on equipment and maintenance costs. However, deploying cloud services requires configuration and administration costs that some companies aim to reduce.
A significant number of system administrators are familiar with local infrastructure protection tools, such as a firewall or antivirus, but these specialists face a lack of knowledge and skills in cloud services. If monitoring and logging tools are not properly configured in the cloud, the administrator may not receive much useful data, making it difficult to identify an attack.
Since the configuration of many cloud services is standardized and the default settings are well known (and documented), malicious actors do not have to invest excessive effort in reconnaissance and hacking, or use sophisticated tools.
Many groups that hack cloud systems previously specialized in hacking IoT devices, Linux servers, and Windows devices. The tools they use have hardly changed. Cloud service protection technologies have also undergone minor changes, and proven hacking tools have repeatedly demonstrated their effectiveness.
Cloud accounts can also be hacked through phishing, which is the use of fraudulent emails or messages to trick users into disclosing sensitive information. Excessive sharing of personal data on popular social networks like Facebook can make it easier for cybercriminals to gather information and launch targeted spear-phishing campaigns. This can lead to loss of credentials, installation of malware, or even identity theft.
So, using a compromised account to mine cryptocurrency is often not the worst case scenario.
How to stay safe
To prevent cryptojacking attacks, Lee Kohn, head of RSTAKING’s security department, recommends timely installation of all available software updates and ensuring that only necessary services are running on the cloud server. Many vulnerabilities used by malicious groups exist in outdated software versions, and timely updates can eliminate these security holes.
However, even after installing all updates, attackers can exploit misconfigured services. APIs should not be publicly available as this may allow attackers to manipulate the services. Access should be limited to administrators and authorized users. Also, it’s a very bad idea to use the default settings.
The use of firewalls in the cloud infrastructure, as well as intrusion detection and prevention systems (IDS/IPS), is strongly recommended. Another effective solution is to use products that can restrict and filter network traffic. Blocking domains connected to known mining pools can also be beneficial, and lists of such domains can be easily found online.