In A Review of Cryptojacking, we examined how a Cryptojacking attack is launched. Many attacks are now launched towards Cloud based Infrastructures as well, which is the focal point of this blog.
Cryptojacking & The Cloud
It is important to keep in mind that the Cryptojacker is not just out to steal the processing and electrical resources of your individual computer and/or wireless device. They are also out to attack the overall Cloud Infrastructure, as there are many more resources that can be used to launch even stealthier and more covert Cryptojacking attacks.
A prime example of this is Tesla. They are an auto manufacturing company and have used the Amazon Web Services (AWS) for their Cloud Infrastructure needs. In this particular instance, they made use of an open source platform available from Google called the “Kubernetes System”. This is an application which allows for businesses and corporations to completely automate the deployment, scaling, and the management of containerized Cloud based applications.
Tesla had deployed the Kubernetes System onto their AWS Platform, but it was not made secure enough (there was no administrative password that was created and implemented), so various Cryptojackers were able to gain access to their overall AWS Environment. After this was accessed, numerous Cryptojacking mining scripts were then covertly installed onto the particular Kubernetes System instances.
As a result of this, the Cryptojacker was then able to gain 100% control of Tesla’s AWS processing and electrical resources, and then use that to launch multiple Cryptojacking attacks. They were also able to gain access to sensitive information and data, which were located in Tesla’s AWS Simple Storage Service (S3) buckets.
The Cryptojackers also used other tactics to avoid detection. For example, they made use of private Mining Pool Software packages, which was then utilized to instruct the mining scripts to connect to an unlisted endpoint. By making use of this approach, existing Domain and IPI based threat detection systems could not pick up on the Cryptojacking activities that were taking place.
The Cryptojackers were also able to mask the true IP address of the mining pool by hiding them behind a Content Delivery Network known as “CloudFlare.” They were even able to make use of nonstandard Network Port Numbers to secretly communicate with the hidden IP addresses. This is was all done in an effort to keep CPU usage low. This strategy allowed for any type of suspicious network-based traffic to go undetected for long periods of time.
Although not using a password (or even a weak one for that matter) can be a major cause for these kinds of attacks, the implementation of very poor-quality API Access Rules also exposes root accounts to be further manipulated in order to launch Crpytojacking attacks.
Our next and final blog in this series will provide various tips and recommendations as to you how you can protect your IT Infrastructure from a Crpytojacking Attack taking place.