With the potential to earn a staggering $1.5 trillion every year, cybercrime is big business.
It's the perfect business model – minimum effort and risk with maximum rewards.
It comes as no surprise that the hype around Bitcoin and other cryptocurrencies last year saw cyber-criminals scrambling to profit from these new currency trends. Shrewd hackers have found a way to get better pay-outs than ransomware - cryptojacking, the unauthorised use of someone else's computing resources to mine cryptocurrency. This new technique has quickly risen through the ranks, replacing ransomware as the number one threat for consumers and enterprises.
Cloud services are playing an increasingly important role for distributing miners - the pooled efforts of multiple computers, which often operate without the computer user's knowledge. For most organisations, perimeter security devices must allow and enable services such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud, and this in turn offers a simple and effective way to evade defences, and an ideal place to host malicious payloads or exfiltrate data. For attackers, cloud services provide all the key elements to maximise the probability of success of the attack.
Several factors have contributed to the recent rise in cryptojacking, although three characteristics of cloud in particular are being exploited by attackers.
Evasiveness: If a cloud service is used by an organisation, all corresponding traffic will be moving through perimeter security devices of that organisation. Technologies like next generation firewalls can recognise the specific cloud service and enforce security policies, but they are not instance-aware. This means that they cannot recognise specific instances of the cloud service bound to certain traffic. The result is that during an attack using a specific cloud application, they cannot determine if the traffic is directed to an instance unrelated to the organisation. As a result, a block policy aimed to contain the attack will affect all traffic directed to web facing storage services, with obvious consequences for the business.
Resiliency: With cloud services, computing resources are distributed and hence less susceptible to outages. With a 99.99 percent uptime and multiple embedded tools for disaster recovery (and easy migration in the event of an outage or incident at any single point), attackers have solved one of the key issues for a successful campaign, overcoming the resiliency offered by the traditional infrastructures.
Agility: Both agility and low cost are inherent characteristics of cloud computing, with automation being the foundation of this. However, it also means that attack infrastructure can be easily moved through different instances in the blink of an eye. New instances can be spun up quickly for multiple different malicious purposes.
These new evasive tactics are often combined with traditional distribution mechanisms, such as phishing emails, drive-by or also pay-per-click/pay-per-install, which are used to inject the initial infection vector (known as the dropper). Once this footprint is established, the dropper can then download the miner payload (or additional stages of the same attack) from cloud services like AWS or Azure. The same cloud services can also be used to exfiltrate data from the compromised endpoint. These campaigns are called ‘hybrid threats' since they leverage both web/email and cloud services to be successful.
The agility, resiliency, and availability of the resources of a cloud environment can be used not only for hosting the malicious payload, but also for mining cryptocurrency. In this attack scenario, the cloud amplifies the attack surface since misconfigurations of a service can lead to its exposure to the whole internet, and crooks won't miss this chance. Try to spin a virtual instance or host a web application on a public cloud service and in a few minutes you will detect attempts of exploiting software vulnerabilities like the recent Drupalgeddon 2, or human vulnerabilities (ie misconfiguration such as unprotected consoles) to inject cryptominers. Leveraging a similar misconfiguration (a Kubernetes console which is not password protected, for example), back in February attackers were able to infiltrate a cloud environment operated by Tesla and perform cryptomining.
Mining attacks such as these can lead to drastic consequences in corporate environments, whether they are on-premise or in the cloud. The high CPU usage of corporate resources can potentially lead to disruption of critical business as the infrastructure becomes slow or unresponsive and may even result in an unexpected shutdown. The abuse of cloud resources can potentially lead to unexpected bills.
Although this may sound a bit disconcerting, as the prevalence of cloud-based cyber-attacks show no sign of abating, the good news is that businesses can reduce their risk of exposure to cryptojacking. By deploying an instance-aware technology like a Cloud Access Security Broker (CASB). With a CASB, organisations can enforce policies such as control traffic to unsanctioned cloud applications, scan for potential malware uploads to sanctioned cloud applications, and also scan for malware downloads from unsanctioned cloud applications, or from unsanctioned instances of sanctioned cloud applications.
These policies, combined with an effective patch management process for clients and servers, an updated corporate antivirus the latest releases and patches, and the use of Ad-blockers or browser extensions like NoScript can help to prevent drive-by cryptomining attacks.
Finally, remember to assess your cloud services for misconfigurations or vulnerabilities.
Criminals are savvy, smart and are always on the lookout for the opportunity to exploit what they can, when they can, so don't give them the chance. These preventative measures are effective and offer the barrier you need to protect yourself against mounting cryptojacking attacks and stop them in their tracks.
Contributed by Paolo Passeri, cyber intelligence principal at Netskope.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.