Bitcoin & cryptojacking – Part 3
Last week we examined how a cryptojacking attack is launched. Keep in mind, many attacks are now launched towards cloud-based infrastructures as well, which is the focal point of this post.
Cryptojacking & the Cloud
It is important to know that today’s cryptojacker is not just out to steal the processing and electrical resources of your individual computer and/or wireless device. They are also out to attack the overall Cloud infrastructure, as there are many more resources that can be used to launch even stealthier and more covert cryptojacking attacks.
A prime example of this is Tesla. Tesla is an auto manufacturing company that has used the Amazon Web Services (AWS) for its Cloud infrastructure needs. In this particular instance, it made use of an open source platform available from Google called the “Kubernetes System.” This is an application which allows for businesses and corporations to completely automate the deployment, scaling and management of containerized cloud-based applications.
Tesla had deployed the Kubernetes System onto its AWS Platform, but the system was not made secure enough (there was no administrative password that was created and implemented); therefore various cryptojackers were able to gain access to Tesla’s overall AWS Environment. After the data was accessed, numerous cryptojacking mining scripts were then covertly installed onto the particular Kubernetes System instances.
As a result, cryptojackers were able to gain full control of Tesla’s AWS processing and electrical resources and use that to launch multiple cryptojacking attacks. They were also able to gain access to sensitive information and data which were located in Tesla’s AWS Simple Storage Service (S3) buckets.
The cryptojackers also used other tactics to avoid detection. For example, they made use of private Mining Pool Software packages which were utilized to instruct the mining scripts to connect to an unlisted endpoint. By using this approach, existing Domain- and IPI-based threat detection systems could not pick up on the cryptojacking activities that were taking place.
Also, the cryptojackers were able to mask the true IP address of the mining pool by hiding them behind a Content Delivery Network known as “CloudFlare.” They were even able to make use of nonstandard Network Port Numbers to secretly communicate with the hidden IP addresses. This was all done in an effort to keep CPU usage low. This strategy enabled any type of suspicious network-based traffic to go undetected for long periods of time.
Although not using a password (or even a weak one for that matter) can be a major cause for these kinds of attacks, the implementation of very poor quality API Access Rules also exposes root accounts to be further manipulated in order to launch crpytojacking attacks.
Our final post in this series will provide various tips and recommendations as to how you can protect your IT infrastructure from a potential crpytojacking attack.