Engineers at RedLock noticed something unusual while scanning the internet for unsecured cloud servers. As one of the top cloud monitoring and defense firms, RedLock noticed one Kubernetes console (an open source dashboard) was performing crypto-mining on AWS. Further research revealed anyone could access the console because it was not password protected.
With access to the console, it did not take long for the intruders to determine they could gain entry to a broader range of AWS services and deploy scripts to establish a crypto-mining operation.
This intrusion became more newsworthy than others because the console belonged to Tesla. RedLock researchers submitted their findings to the Tesla bug bounty program and were awarded $3000 which they donated to charity. However, this intrusion called attention to the fact that public cloud platforms are increasingly popular targets of cryptojackers.
Let us look at why cryptojacking has soared in popularity and what can be done to defend against it.
Gain in Popularity
So, what is cryptojacking? Cryptojacking is the secret use of your computing device to mine cryptocurrency.
Why has cryptojacking become so popular? In short, because it is profitable. “Hackers see cryptojacking as a cheaper, more profitable alternative to ransomware,” says Alex Vaystikh, CTO of SecBI. He goes on to explain that a hacker might get three people to pay for every 100 computers infected. However, with cryptojacking, all 100 of those infected computers are mining cryptocurrency for the hacker.
Another reason hackers are turning to cryptojacking is they are less likely to be identified if ever caught. Once the hacker deploys the scripts running the crypto-mining operation, they may go months or years before someone detects them. Even when they are discovered, it is difficult to trace the offending scripts back to the source.
One thing to remember is that cryptojackers are not after confidential data. They are not searching for computers to uncover bank accounts or Social Security numbers. All they want is to co-op access to your cloud computing cycles. For this reason, many incidents are never reported. For many hackers, cryptojacking is merely a low risk/high reward proposition.
Entry Points
Hackers use several tactics to trick users into unintentionally becoming crypto-miners. One of the most popular is through a legitimate-looking email that baits the user into clicking on a link. Within seconds, the link runs code that installs a script on the computer. The script then quietly runs in the background undetected.
Another method hackers use is injecting a script on a website or an online ad. When a user visits the site, they encounter a pop-up in their browser which automatically executes the script. The scripts usually use few resources and do not interfere with general computer usage, making them incredibly difficult to detect. The most sophisticated scripts recognize when you are away from your computer and will then kick into full mining gear.
The makers of the Opera browser have created a cryptojacking test which will test your browser for any infections. Other test sites exist, but few are as quick and easy as this one.
Prevention
The skyrocketing value of cryptocurrencies is encouraging hackers to change their nefarious tactics. Many have evolved from stealing sensitive data to stealing computer cycles on local systems as well as in companies’ public cloud environments.
What can you do to prevent being a victim of cryptojacking?
- Monitor Network Traffic – Tesla was fortunate that RedLock recognized unusual network traffic that lead them to a console that was not password protected. Tesla should have been monitoring the traffic that was generated by their Kubernetes console more closely. Had they done so, they would have caught the operation sooner.
- Make Cryptojacking Part of Your Training – Helping users recognize phishing-type attempts will reduce the number of local infections. This requires ongoing diligence with each new batch of employees along with retraining for seasoned staff.
- Monitor Configurations – Organization, should monitor for risky and unusual configurations. This may require deploying tools that discover resources as soon as they are created as well as checking to make sure each entry point is password protected.
- Avoid Browser Extensions – If you must run extensions, keep them up-to-date. Some attackers are using malicious extensions to execute crypto-mining scripts. Hackers have also successfully poisoned legitimate extensions so avoid them if possible.
Conclusion
Will cryptocurrencies continue their torrid growth in popularity and value? That is anyone’s guess. However, as more companies move applications to the cloud, the opportunity for hackers to tap into your cloud computing resources increases.
Unfortunately, it does not require much technical skill or resources for a hacker to get started in cryptojacking. For as little as $30, anyone can purchase a cryptojacking kit off the dark web.
Experts expect cryptojacking to become as famous as ransomware over the next year. That is bad news for IT departments, but taking these few steps mentioned above can reduce your risk.
View Comments
-
-
You’re correct, we were referring to the guest. But, after further review, we noticed that the sentence you pointed out in step five doesn’t quite fit with the remainder of the post, so we’ve removed it. It is, however, still important to check the virtual machines’ event logs for VSS errors-- this is just a standard best practice to make sure everything is running smoothly.
-
Nice catch, Eric. Looks like "it"" got away from me."
-
Interesting point, Kurt. The more you lean on the cloud, the more you stand to be without if your cloud provider takes a temporary fall. An example would be the recent outage of Microsoft Azure (check out our article) For disaster recovery, the cloud is great because your backups are there in emergency when you need them. It's very important who you choose to work with when it comes to storing your backups in the cloud and you'll want to go with people in the industry that are true experts in backup and disaster recovery. The idea behind backup and disaster recovery is redundancy. You need a backup of, well, everything. That means if you've got a cloud provider taking care of infrastructure needs you'll probably want to have a plan for what you'll do if their cloud goes down for awhile. If you're relying on your own hardware, you'll want it backed up to a place that allows you to easily retrieve it in an emergency. What's even better is to use a cloud provider that gives you the ability to virtualize from the cloud so that your downtime is almost nothing. Check out StorageCraft Cloud Services if you'd like to learn more."
Previous
1
…
8
9
10
Hello Carlo,
Yes, you have pointed out the travails of being both a Techie and a Marketer, namely predicting software release dates. We both know how fast technology changes these days. What with Microsoft updates, new hardware (and the associated drivers), the constant flow of Linux distros, and StorageCraft's penchant for getting everything perfectly aligned before a release and my job as a Technical Marketer job becomes nigh impossible. I apologize for getting the date wrong, and will post more information about the upcoming software release as soon as I get it.
Thank you for keeping me honest.
Cheers,
Steven