With prominent victims such as Tesla, Aviva, and Gemalto, cryptojacking surfaced several times during the first half of 2018. In this attack technique, hackers hijack remote devices to mine cryptocurrencies.
Cryptocurrencies are generated by solving complex mathematical problems. In itself a legitimate process, but this requires a high computing power and is therefore extremely resource-intensive. It is, therefore, more lucrative for criminals to outsource mining illegally to foreign infrastructures. The hijacking of equipment and networks and the bundling into a botnet maximizes their mining capacity and provides a higher profit because they do not have to maintain these resources themselves for a fee. Also attractive are the associated lesser consequences: cases of cryptojacking, especially in the US, are less aggressively pursued by the authorities than attacks with malware or ransomware, where the extent of damage is significantly higher.
When cryptojacking hits the cloud
An increasing trend is the combination of this practice with cloudjacking – the unauthorized use of a cloud application through the theft of access data. Cryptojacking in the cloud provides a significantly accelerated mining process. Public cloud platforms, especially IaaS platforms, are extremely popular targets for cryptojackers, as the environment offers tremendous computing power and many opportunities to stay undetected. In the case of Tesla, it turned out that some of the company’s Amazon Web Services (AWS) entities had been abused for mining cryptocurrencies. The attackers ran several scrub programs and hid the IP addresses behind the content delivery network CloudFlare. With this measure, they were able to obscure their activities unnoticed in front of conventional firewall and internet security systems. They also deliberately slowed down the speed of the scraper software to avoid triggering a security alert due to the increased load.
How can organizations protect themselves?
Looking for cryptojacking in connection with the cloud has the affected companies. However, the amount of business costs that can be achieved by the additional burden on their resources differs individually. However, there are general security measures that can prevent hacking of cloud accounts as well as cryptojacking.
1. Create awareness: sensitizing employees:
Cybercriminals increasingly target individual users. Since attacks using social engineering have a very high success rate, cybercriminals are increasingly taking individual users as a target. Phishing, in particular, is widely used to gain access to endpoints, networks and cloud environments. All it takes is an employee who falls for a deceptively real-looking message. With just one click, the cryptomining software stored in the message is reloaded. Informing employees regularly about various attack vectors and the potential damage they cause should, therefore, be an integral part of a comprehensive security strategy. This can be done, for example, in the form of workshops, in the context of a memo or via regular reports via the company intranet.
2. Use web browser security features:
Not only is cryptomining software distributed via phishing messages, but also as a so-called drive-by infection. To do this, the malicious software is deposited on popular, well-visited websites whose addresses are generally not blacklisted – such as daily newspapers and news portals. When browsing through the website, the cryptojacking software is started. A training of the coworkers falls short in this attack scenario, since the Mining software works unnoticed. However, an effective line of defense can be harnessed by the security features of the Web browser: Adblockers, available as browser extensions, can sometimes detect crypto-scripting scripts.
3. Set up strong passwords and multifactor authentication:
In the example of Tesla already mentioned, it was reported that the attackers infiltrated the environment via the company’s Azure Kubernetes management console, which was not password protected. But even if passwords are used, the level of computer security often leaves something to be desired. In practice it turns out again and again that the passwords of the employees are a significant weak point in companies. For employees, it is cumbersome to devise their own password for all programs and services used, and so they usually take for everyone the same thing that they can remember very well. By using different alphanumeric passwords and using multifactor authentication (MFA) at the crucial moment, it could prevent cybercriminals from gaining control over the cloud and its assets.
4. Instantly install security patches and software updates:
Sometimes vulnerabilities in applications, known as exploits, can be exploited to install crypto-training software. Software vendors and security vendors regularly release patches that protect against malware that could exploit such exploits. If the patches are not installed – which is quite common – endpoints and cloud storage networks are exposed to unnecessary risk. In particular, if employees also use their personal devices for business purposes, ensure that software updates are instantly downloaded and installed when available. Otherwise, such vulnerabilities can be misused as an attack vector.
5. Leverage effective cloud and endpoint protection:
Numerous cloud and endpoint security solutions are now able to detect the most popular crypto-scripting scripts. That is, even if an employee inadvertently clicks on malicious links or visits infected sites, malicious software attempts to take advantage of the system can be prevented. Still, it makes sense to remain vigilant as cybercriminals continually evolve their malicious code to remain undetected.
6. Data-centric security solutions:
Mobile data security solutions help control exactly what’s on the endpoints and reduce the risk of violations. In the new era of bringing your own device (BYOD), traditional mobile device management (MDM) is becoming increasingly difficult to enforce. However, there are now a variety of completely agentless solutions that can provide many of the features of MDM, but without the typical privacy and deployment issues.
Cryptojacking has experienced a tremendous upswing over the past six months. This is mainly due to the strong price growth of cryptocurrencies in the recent past. Although this is currently declining, so that the threat situation relaxes a bit – full all-clear cannot be given. It is, therefore, worthwhile to be prepared for such threat scenarios in order to avoid the unnecessary burden on your own infrastructure and the associated costs.