Malicious Actors Targeting the Cloud for Cryptocurrency Mining Activities

Trend Micro has announced a report revealing a fierce, hour-by-hour battle for resources among malicious cryptocurrency mining groups.

“Just a few hours of compromise could translate into profits for authors. This is why we are seeing a continuous struggle for cloud CPU resources. It’s akin to capturing the flag in real life, with the victim’s cloud infrastructure as the battleground,” said stephen hiltSenior Threat Researcher at Trend Micro.

“Threats like this require built-in, platform-based security to ensure the bad guys have nowhere to hide. The right platform will help teams map their attack surface, assess risk, and request the right protection without adding excessive overhead.

Threat actors are increasingly seeking and exploiting these exposed instances, along with brute force SecureShell (SSH) credentials, to compromise cloud assets for cryptocurrency mining, the report reveals. Targets are often characterized by outdated cloud software in the cloud environment, poor cloud security hygiene, or insufficient knowledge of how to secure cloud services and therefore easily exploited by threat actors to gain access to systems.

Cloud Vulnerability

Investments in cloud computing have exploded during the pandemic. But the ease with which new assets can be deployed has also left many cloud instances online longer than necessary, unpatched and misconfigured.

On the one hand, this additional IT workload threatens to slow down key user-facing services for victimized organizations, as well as increasing operating costs by up to 600% for each infected system.

Crypto mining can also be a precursor to more serious compromises. Many mature threat actors deploy mining software to generate additional revenue before online shoppers buy access for ransomware, data theft, etc.

The report details the activity of several groups of threat actors in this space, including:

  • Outlawthat compromises IoT devices and Linux cloud servers by exploiting known vulnerabilities or performing SSH brute force attacks.
  • TeamTNTwhich exploits vulnerable software to compromise hosts before stealing credentials from other services to help it move to new hosts and abuse misconfigured services.
  • Kinsingwhich sets up an XMRig kit for Monero mining and kicks all other miners out of a victimized system.
  • 8220, who was observed battling Kinsing for the same resources. They frequently eject themselves from a host and then install their own cryptocurrency miners.
  • Kek Securitywhich has been associated with IoT malware and running botnet services.

Mitigating the Threat of Malicious Cloud Cryptocurrency Mining Attacks

  • Ensure systems are up to date and only running required services
  • Deploy firewall, IDS/IPS, and cloud endpoint security to limit and filter network traffic to and from known malicious hosts
  • Eliminate misconfigurations with cloud-based security posture management tools
  • Monitor traffic to and from cloud instances and filter domains associated with known mining pools
  • Deploy rules that monitor open ports, DNS routing changes, and CPU resource usage from a cost perspective

Sara H. Byrd