According to the latest Cloud Security Trends report from the RedLock Cloud Security Intelligence (CSI) team, a quarter of enterprises suffered from cloud cryptojacking incidents, a threefold increase over the previous quarter.
Cryptojacking is the process of illicitly using the computing resources of an unaware host to 'mine' cryptocurrency such as Monero and others. Indeed, any cryptocurrency that can be mined using CPU resources rather than GPU ones is on the radar of threat actors in this particular vector. "It's now apparent the practice of stealing cloud compute resources specifically to mine cryptocurrency has accelerated and there are signs that attackers are using advanced evasion techniques for this purpose" the researchers claim, adding "even with expectations of greater activity in this area, the numbers are a surprise."
No more surprising than the discovery that some 85 percent of these enterprise cloud resources had no firewall restrictions to prevent unwanted outbound traffic. That's a small increase, of five percent, from the figures last year. Quite apart from the risk of data exfiltration post-breach, or even accidental data loss, that such a situation enables the RedLock CSI team advise all enterprises should not only deny all outbound traffic by default but also "monitor network activity for any suspicious traffic such as communication with cryptomining pools."
SC Magazine UK wondered why enterprise cloud environs were a prime target for the cryptomining threat vector? "Most of these attacks are opportunistic" says Chris Doman, security researcher at AlienVault, who continues "the attackers scan the internet for vulnerable systems in any environment, many of which are with cloud providers." Of course, that doesn't negate the fact that cloud environments are often juicy targets for cryptojackers, as Karl Sigler, Threat Intelligence Manager at Trustwave explains. "Cloud services are often provided by third parties where the line is blurred as to who is responsible for best security practices" Sigler points out, adding "this is especially critical since these environments are often outside the traditional enterprise perimeter where security protections like firewalls and intrusion prevention are often placed."
James Maude, lead security engineer at Avecto, agrees. "There is a common misconception that the cloud is secure by default" he told SC Media UK "the reality is that it needs to be thought of as a system that someone else owns and treated with all the same security considerations as any other internet hosted system." Too often, Maude continued in conversation with SC, organisations solely focus on protecting high-value data when it comes to security. This leaves systems that don't hold overly sensitive data unprotected.
"Increasingly, attackers are aware of this weakness and exploit it to target an organisations' computational resources, rather than their data" Maude concludes.
And what about best practice for mitigating against the cryptojacking threat to the enterprise cloud environment? "Organisations need to be wary of over-privileged users, the credentials that are shared throughout an organisation, and think about implementing measures to stop users being targeted by phishing campaigns and avoid having their passwords stolen and reused" Maude warns. The other challenge is similar to that in the desktop environment, namely that enterprises will often run unpatched systems and have little control over the applications and services in the cloud. "The same fundamental advice applies to the cloud as any endpoint" Maude concludes "implement least privilege, control which services are allowed to run and apply regular patches and install updates."