Cyber attacks targeting cloud infrastructure are becoming more prevalent every year. Threat actors leverage the same aspects of massive infrastructure scalability, rapid deployment, and automation that drive legitimate businesses to digital transformation. We now have substantial evidence that organizations have suffered real financial damages due to cryptojacking. Could your company weather a surprise £345,000 increase in your cloud bill?
Cryptomining refers to performing calculations that validate transactions on a blockchain. Miners are rewarded with cryptocurrency for this effort. Cryptojacking is using stolen cloud resources to avoid paying for the necessary servers and power for mining, the cost of which typically outweighs the profits. Compared to other forms of cybercrime, cryptojacking has a low barrier to entry, low risk to the perpetrator, and a high potential for steady financial rewards.
In our Cloud Native Threat Report, writes Sysdig's Anna Belak. our security researchers looked specifically at TeamTNT, a notorious cloud-targeting threat actor that generates the majority of their criminal profits through cryptojacking. Based on this data, we can conclude that these cybercriminals make £1 for every £53 their victim is billed.
Cryptojacking: Who is a target?
Anyone and everyone has a target on their forehead. Cryptojackers will constantly scan the entire public internet looking for any unprotected or vulnerable resources. Their methods are heavily automated and show little regard for whom to hit. Vulnerable systems are often compromised within minutes of being brought online.
TeamTNT targets exposed Docker APIs, Kubernetes, and Redis deployments, but the list of potentially exploitable systems is limitless. TeamTNT collected at least £6,500 in cryptocurrency, amounting to £345,000 in cloud costs for their victims.
Why are they so successful?
Cryptojackers take steps to protect their own privacy and reduce their chances of getting caught or having their profits confiscated. They prefer to mine “privacy coins” like Monero that are more difficult to trace. They also use proxies and other obfuscation techniques to hide their cryptowallets and prevent attribution.
There are two ways to run a cryptojacking campaign: compromise existing compute instances and install as many miners as they will accommodate; or compromise a cloud account, create new compute instances, and run as many miners as you want. Our researchers have observed many instances where cryptojacking groups harvested cloud credentials and used them to spin up additional resources until they exhausted the credit cards on file. This second approach requires more effort, but it maximizes attacker profits and can result in massive costs to the victim. Most attackers, including TeamTNT, use both methods concurrently.
When will cryptojacking end?
Cryptojacking isn’t likely to subside anytime soon. The attackers have little to no expenses to worry about, so a tiny profit is still all profit. If anything, the volatility in the cryptocurrency markets is forcing cryptojackers to scale up their operations so they can maintain the same profits at less favorable exchange rates. Monero, in particular, has lost over 35% of its value over the past twelve months. Furthermore, the industry remains largely unregulated around the world, so it is still easy for the attackers to turn their cryptocurrency back into real money.
Cryptojacking has the ideal ratio of low effort and low risk for the attacker compared to high reward. It also enables near instant monetization of stolen infrastructure upon gaining access. Traditional tactics, such as ransomware extortion, require longer persistence, the ability to sell their access to a broker or customer, or the capability to complete the criminal transaction without engaging law enforcement.
How can you protect yourself?
Most cryptojacking attacks are opportunistic, meaning the malicious actors try to compromise anyone vulnerable to their exploit of choice. There is no targeting at play, the attacks are not sophisticated, and the threat actors likely have no idea whom they ultimately compromised.
Defending against opportunistic attacks requires proper preventative controls like vulnerability and configuration management. Identity and access management is a must for avoiding the worst case scenario of attacker-provisioned instances mining on your cloud accounts at massive scale. Threat detection can also be highly effective, and many cloud providers and third party cloud security tools are starting to offer algorithms for identifying and blocking cryptojacking attacks.
Although these attacks are typically not targeted, in some cases your business can suffer secondary consequences beyond the unusually high cloud bill. Being susceptible to miner attacks can expose your organization as having a weak security program, and more sophisticated threat actors may either attempt more substantial attacks against you or sell your information to other malicious actors. Ignoring any form of cyber threat is dangerous. Security leaders should take great care to ensure their organizations keep up with emerging threats and evolve their risk management strategy accordingly.