If you have ever wondered how cryptocurrencies like bitcoin or monero issue new currency, the answer is through a competition called cryptocurrency mining. This competition is open to anyone connected to the internet, and the more powerful the computer – or computers – you control, the better your odds of creating cryptocurrency you can exchange for real U.S. dollars.
Why would malicious actors use their own resources to compete in cryptocurrency mining when they can scan the web for publicly accessible servers to take advantage of misconfigured cloud and container environments?
This is exactly what happened to Rich Mogull, an Analyst & CEO of a security company, as detailed in his blog post.
About six years ago, Rich had no idea he had shared his Amazon Web Services (AWS) Access Key and Secret Key publicly on GitHub. While preparing for a Black Hat presentation, the industry analyst was working on a proof of concept for a DevOps tool and published the keys on GitHub. After receiving an automated alert from Amazon, he started investigating and found that one of his test files contained his AWS Access Key and Secret Key. Within 36 hours of publishing his code, malicious actors had already found it and were launching Elastic Cloud Compute (EC2) instances to mine cryptocurrencies, in regions unsupported by AWS CloudTrail. This made it impossible to find the origin of the API calls using his Access Key.
These keys were all that a malicious actor would need to connect to his cloud account and create expensive virtual machines to mine cryptocurrencies. Fortunately, he received an email from Amazon a few hours later and managed to limit the damage. Still, faster detection of cloud resource abuse could have helped save him money and prevent the risk of data loss.
The reality of cloud cryptomining
Cryptocurrency mining in hijacked AWS accounts is a common method among cybercriminals, because companies might not be instantly aware of the practice. For years, Amazon Web Services (AWS), Docker, and Kubernetes have been exposing enterprises to an attack vector by enabling malicious actors to run cryptomining software on vulnerable, unsecured server infrastructures.
In 2019, Thales Group in partnership with the Ponemon Institute reported that 48% of companies kept corporate data in the cloud, but over 50% did not use encryption or tokenization to prevent external compromise.
In August, a large-scale cryptomining malware operation was identified. A cybercrime group named TeamTNT stole AWS credentials from misconfigured Docker cloud servers without password protection for management APIs. While this was not necessarily a new strategy, the group was also going after Kubernetes systems. When these registries are attacked, malicious actors can gain unauthorized access to application source code and confidential information. The crypto-mining worm is spreading across the cloud collecting AWS credentials and installing cryptominers.
A cheaper compromise compared to Marketplace, companies often choose AWS Community AMIs (Amazon Machine Images). Amazon does not verify them for malicious risks or compromise, which explains why a cryptominer was detected embedded in the service for virtual machines. It looks like it had been using up compute resources for about five years, without companies even knowing. While customers paid all the bills, criminals got away with the cryptocurrency. Other industry research found that cryptocurrency mining code was hidden behind malicious Docker images located in the Docker Hub repository.
Shine a light on risks
Because cryptocurrency mining requires a lot of electricity and expensive hardware, hackers take advantage of corporate cloud computing, especially when the victims are large businesses already paying thousands of dollars for the service. Who would notice a couple of extra hundred dollars on their billing? The bigger the company, the smaller the chances that it constantly monitors usage or billing alerts.
Monitoring usage and billing alerts are, however, two of the most useful tools that companies can use to detect cloud infrastructure hijacking. When taken over, account keys need to be reissued to block access from malicious actors.
Companies can also prevent these attacks by making sure that they monitor in real-time all the code their employees and consultants share on public code-repositories and question/answer platforms like StackOverflow. Digital Risk Protection (DRP) solutions constantly monitor these platforms and detect the patterns of access keys and passwords. They then alert your company in real-time and help you reissue the leaked credentials, should a malicious actor have noticed them during the minutes that they were publicly available.
On November 10, 2020, 1 Bitcoin was worth USD$ 15,348.40. Industry predictions estimate its market cap will increase by 400% in less than two years, hitting “$1 trillion market cap,” which will likely result in a higher number of crypto-miners hijacking cloud resources and servers. Understanding the digital risk of cryptocurrency mining hijacking may help you prevent much more than the $500 Rich Mogull said he was supposed to pay to Amazon.
