Engineers at RedLock noticed something unusual while scanning the internet for unsecured cloud servers. As one of the top cloud monitoring and defense firms, RedLock noticed one Kubernetes console (an open source dashboard) was performing crypto-mining on AWS. Further research revealed anyone could access the console because it was not password protected.
With access to the console, it did not take long for the intruders to determine they could gain entry to a broader range of AWS services and deploy scripts to establish a crypto-mining operation.
This intrusion became more newsworthy than others because the console belonged to Tesla. RedLock researchers submitted their findings to the Tesla bug bounty program and were awarded $3000 which they donated to charity. However, this intrusion called attention to the fact that public cloud platforms are increasingly popular targets of cryptojackers.
Let us look at why cryptojacking has soared in popularity and what can be done to defend against it.
Gain in Popularity
So, what is cryptojacking? Cryptojacking is the secret use of your computing device to mine cryptocurrency.
Why has cryptojacking become so popular? In short, because it is profitable. “Hackers see cryptojacking as a cheaper, more profitable alternative to ransomware,” says Alex Vaystikh, CTO of SecBI. He goes on to explain that a hacker might get three people to pay for every 100 computers infected. However, with cryptojacking, all 100 of those infected computers are mining cryptocurrency for the hacker.
Another reason hackers are turning to cryptojacking is they are less likely to be identified if ever caught. Once the hacker deploys the scripts running the crypto-mining operation, they may go months or years before someone detects them. Even when they are discovered, it is difficult to trace the offending scripts back to the source.
One thing to remember is that cryptojackers are not after confidential data. They are not searching for computers to uncover bank accounts or Social Security numbers. All they want is to co-op access to your cloud computing cycles. For this reason, many incidents are never reported. For many hackers, cryptojacking is merely a low risk/high reward proposition.
Hackers use several tactics to trick users into unintentionally becoming crypto-miners. One of the most popular is through a legitimate-looking email that baits the user into clicking on a link. Within seconds, the link runs code that installs a script on the computer. The script then quietly runs in the background undetected.
Another method hackers use is injecting a script on a website or an online ad. When a user visits the site, they encounter a pop-up in their browser which automatically executes the script. The scripts usually use few resources and do not interfere with general computer usage, making them incredibly difficult to detect. The most sophisticated scripts recognize when you are away from your computer and will then kick into full mining gear.
The makers of the Opera browser have created a cryptojacking test which will test your browser for any infections. Other test sites exist, but few are as quick and easy as this one.
The skyrocketing value of cryptocurrencies is encouraging hackers to change their nefarious tactics. Many have evolved from stealing sensitive data to stealing computer cycles on local systems as well as in companies’ public cloud environments.
What can you do to prevent being a victim of cryptojacking?
- Monitor Network Traffic – Tesla was fortunate that RedLock recognized unusual network traffic that lead them to a console that was not password protected. Tesla should have been monitoring the traffic that was generated by their Kubernetes console more closely. Had they done so, they would have caught the operation sooner.
- Make Cryptojacking Part of Your Training – Helping users recognize phishing-type attempts will reduce the number of local infections. This requires ongoing diligence with each new batch of employees along with retraining for seasoned staff.
- Monitor Configurations – Organization, should monitor for risky and unusual configurations. This may require deploying tools that discover resources as soon as they are created as well as checking to make sure each entry point is password protected.
- Avoid Browser Extensions – If you must run extensions, keep them up-to-date. Some attackers are using malicious extensions to execute crypto-mining scripts. Hackers have also successfully poisoned legitimate extensions so avoid them if possible.
Will cryptocurrencies continue their torrid growth in popularity and value? That is anyone’s guess. However, as more companies move applications to the cloud, the opportunity for hackers to tap into your cloud computing resources increases.
Unfortunately, it does not require much technical skill or resources for a hacker to get started in cryptojacking. For as little as $30, anyone can purchase a cryptojacking kit off the dark web.
Experts expect cryptojacking to become as famous as ransomware over the next year. That is bad news for IT departments, but taking these few steps mentioned above can reduce your risk.