Cryptojacking: The high cost of free money
If I offered you free money, what would your first response be? For those of us in the security industry, the first thought is probably what the catch is. In the case of cryptojacking, the catch is that all the costs are covered by someone else.
Cloud infrastructure deployments are the bedrock below many companies today. However, that same infrastructure is getting targeted by threat actors that can spot opportunities to earn cash for themselves. Based on the activities of one threat actor, Team TNT, we can now estimate just how much that free money really costs.
Let’s start off by looking at what goes on in cryptomining. Mining cryptocurrency involves carrying out increasingly hard calculations in order to generate new results and validate those transactions to a blockchain. In return, the people who carry out those calculations are rewarded with cryptocurrency funds, which they can then save, transfer or spend. However, as the cost of mining has increased and the value of cryptocurrencies have fallen, there is less and less incentive to carry this kind of activity out.
Cryptojacking 'solves' this problem -- by stealing access credentials to a business cloud account, the cryptominer can carry out those transactions without paying for the hardware, resources or electricity needed. Using stolen cloud resources avoids the need to pay for mining, so the attacker can walk away with ‘free’ money.
Compared to other forms of cybercrime, cryptojacking is easy to get into, and the risks are low, as the cryptocurrencies typically used in these attacks can be hard to track back. Attackers also use proxies and other obfuscation techniques to hide their cryptowallets and prevent attribution.
Based on analysis of TeamTNT in our Cloud Native Threat Report, we can estimate how much it costs to generate cryptocurrency and what the attacker gets in return. In the set of attacks that we examined, the cloud bills were £345,000, while the attack generated around £6,500 in currency. In other words, the attacker spent £53 for every £1 they received. For someone doing this for themselves, the return is ludicrously low, but for an attacker? Free money is free money.
How attacks work
To carry out this set of attacks, TeamTNT gains access to cloud infrastructure accounts through exposed Docker APIs, Kubernetes, and Redis deployments. This approach compromises existing compute instances, so the attacker can install as many miners as they will accommodate. However, this will not scale any further.
Other cryptocurrency attacks will look out for accounts with poor access control. By taking over legitimate existing accounts, attackers can provision additional compute instances and install their mining systems there to generate currency for some time before they are spotted or until the credit card on file reaches its spending limit. This approach requires more effort for the attacker, but it returns more profits and can result in massive costs to the victim.
Most attackers, including TeamTNT, use both methods concurrently. The attackers also have little to no expenses to worry about, so a tiny profit is still all profit for them. As the cryptocurrency industry remains largely unregulated and operates across country borders, it is easy for attackers to turn cryptocurrency into other currencies, or into real world cash that they can take out. There is another risk in that cryptominers might try to raise additional revenue by acting as initial access brokers, selling on their foothold to a more sophisticated attacker that can deploy ransomware.
Protect yourself with proactive controls
So how can you protect yourself and your infrastructure against attacks? The most important point to bear in mind is that these attacks are not sophisticated but opportunistic. Any attack that does succeed should be fast to detect if you have the right steps in place, and you can minimize the impact by keeping a close eye on your cloud bills and put alerts in place for any spend that is significantly out of the ordinary.
Using runtime insights from your cloud infrastructure can improve your security posture. This looks at any process that is taking place within your cloud, and checks that it is allowed to run as standard. If any attacker does manage to get in and try to install components for mining, those processes would not be allowed to start in the first place and you would be alerted. For cloud deployments, open source tools like Falco can help you set up what you need around security, as well as being useful for hosts and Kubernetes clusters too.
To defend against these kinds of opportunistic attacks, you should have preventative controls in place to prevent exploitation of misconfigurations or vulnerabilities in your deployments. Checking for potential issues and patching systems quickly will prevent opportunists from carrying out attacks. Similarly, having a thorough identity and access management approach in place will prevent attacks on weak passwords. Using multi-factor authentication for cloud accounts, particularly those with privileged access or elevated permissions, should be your default approach.
If an attacker does get into your accounts, then threat detection tools should flag the attack quickly. Crypto mining is a noisy activity and one that is definitely not 'business as usual' for the vast majority of companies, so any deployment should stand out. Many cloud services and security tools automatically offer algorithms for detecting and blocking these attacks as standard.
A cryptomining attack can be an expensive lesson to learn around security. The prospect of a hefty cloud bill for poor security practices should lead anyone to look at their approach. By taking a proactive approach and preventing issues before they can be exploited, you can avoid handing free money to those that definitely don’t deserve it.
Anna Belak is Director, Office of Cybersecurity Strategy, Sysdig. Anna has nearly ten years of experience researching and advising organisations on cloud adoption with a focus on security best practices. As a Gartner Analyst, Anna spent six years helping more than 500 enterprises with vulnerability management, security monitoring, and DevSecOps initiatives. Anna's research and talks have been used to transform organisations' IT strategies and her research agenda helped to shape markets. Anna is the Director of the Office of Cybersecurity Strategy at Sysdig, using her deep understanding of the security industry to help IT professionals succeed in their cloud-native journey. Anna holds a PhD in Materials Engineering from the University of Michigan, where she developed computational methods to study solar cells and rechargeable batteries.