Protect Cloud Resources Against Cryptojacking
![Featued image for: Protect Cloud Resources Against Cryptojacking](https://cdn.thenewstack.io/media/2024/07/74822efe-cryptojacking-cloud-security-1024x576.jpg)
Cryptojacking, or malicious cryptomining, is a threat embedded within a mobile device or a computer to mine cryptocurrencies. It offers an attacker free access to compute resources — at the expense of your device’s and network’s health — capitalizing on the device’s computing power for their gain.
These attacks are on the rise: In 2019, 51.6 million cryptojacking attacks were reported; during the first half of 2023 alone, cryptojacking volume reached 332.3 million, reported the 2023 SonicWall Cyber Threat Report Mid-Year Update.
Year | # of Cryptojacking Attacks |
2023 (1st half) | 332 million |
2022 | 140 million |
2021 | 97.1 million |
2020 | 66.7 million |
2019 | 51.6 million |
The rise of digital currencies has increased the threats associated with cryptojacking, and the impact is significant: cybercriminals stole $1.38 billion worth of cryptocurrency in the first half of 2024 alone, doubling the first half of 2023’s figures.
The cryptocurrency landscape has seen notable changes in the last few years, in part because of these factors that have shaped the crypto industry:
- Global acceptance: Australia, Japan and other countries have legalized the use of cryptocurrencies as payment methods.
- Diverse offerings: Beyond Bitcoin, currencies like Ethereum, Litecoin, Dogecoin and Monero have gained massive popularity.
- Regulatory development: The crypto industry has only a handful of rules and regulations that ensure that its various operations are carried out properly.
- Market resilience: Despite the challenges, the cryptocurrency industry has maintained resilience through the years.
How Cryptojacking Works
This cybercrime happens when criminals hack into devices using malware-laden emails, malicious URLs and software vulnerabilities, as well as by exploiting compromised environments. They then install cryptojacking software, which works in the background to steal from crypto wallets or mine new cryptocurrencies.
Attack methods include:
- Endpoint attacks: Mainly triggered through phishing, file-less malware or embedded scripts on compromised websites.
- Server and network attacks: Leverage vulnerabilities on servers and network devices to impose an attack on the system.
- Software supply chain attacks: Cryptojacking scripts embedded in open source code repositories and software dependencies.
- Cloud infrastructure exploitation: Use cloud services and resources to scale cryptocurrency mining operations.
Once they’ve exploited a device, hackers use it to mine cryptocurrencies through tactics such as:
- Legitimate mining: Cybercriminals release new cryptocurrency units in the market by solving complex cryptocurrency problems.
- Resource theft: Cybercriminals gain access to a victim’s computing resources by exploiting the devices, servers and cloud infrastructure to reduce their costs.
- Attack methods: Attacks such as malware distribution, vulnerability exploitation and supply-chain attacks are also used to carry out illegal mining operations.
Some real-world cryptojacking examples include:
- WatchDog targets against Docker Engine API and Redis servers.
- TeamTNT and Kinsig gangs focus on cloud-oriented services like Alibaba ECS instances.
- Log4Shell vulnerability attacks including against VMware Horizon servers.
- Supply-chain attacks via compromised npm libraries or cryptojacking apps found in the Microsoft Store.
- The Kobe Bryant wallpaper, which uses steganography to hide malicious code in the victim’s system.
- Romanian attackers target Linux machines with Monero mining malware.
- CoinStomp employs sophisticated evasion tactics.
- Adylkuzz, CPUMiner/EternalMiner and Linux.MulDrop.14 malware that exploits vulnerabilities like EternalBlue and SambaCry.
Growing companies and DevSecOps engineers must implement robust security measures to safeguard their systems from crypto attacks.
Cryptojacking in the Age of AI
These days, even AI-based models are becoming victims of cryptojacking. Smart AI systems are being hijacked for cryptocurrency mining. So, it is crucial to make use of popular frameworks like KubeFlow and TensorFlow pipelines for building and deploying AI. This will help mitigate attacks without impacting the performance of these resources.
As cryptojacking expands, threat actors are trying to enhance their scope and go beyond Windows-based attacks. Cryptominers have been targeting apps designed for Macs, such as the recently discovered Final Cut Pro campaign. Linux servers and internal Redis servers became popular targets for cryptojacking campaigns in 2022.
In January 2023, hackers used automation to generate 130,000 free trial accounts on cloud platform services with the aim of exploiting GitHub Actions workflows for illicit cryptomining activities.
![Flow chart shows a TNTbotinger attack's mode of operation.](https://cdn.thenewstack.io/media/2024/07/367dbc01-tntbotinger-attack-tree.png)
The flow chart shows TNTbotinger attack’s mode of operation.
Impact and Threats of Cryptojacking
Cryptojacking can impact the victim’s computer by slowing it down and consuming more electricity. This is because the malware that has been installed on the victim’s computer will begin to actively use the computer’s processing power for mining cryptocurrencies.
Cryptojacking malware can also damage the computer’s hardware, causing it to overheat and exposing the system to other attacks.
Common Traits of Kubernetes-Based Cryptominers
- One of the most commonly observable traits seen in Kubernetes-based cryptominers is their attraction to DaemonSet deployments. The attackers ensure that at least one mining pod is installed per node, which prevents their mining executions from interfering with one another.
- Kubernetes-based cryptominers also use the /tmp/ folder to load and unload their mining tools.
- Cryptominers depend on network connectivity to synchronize their mining pool and send their mining results.
- For widespread propagations, cryptominers use privileged access or a cluster admin role, allowing them to spread malicious payloads across the cluster.
How to Detect Cryptojacking Attacks
The first step in preventing cryptojacking attacks is detecting them.
Network monitoring:
- Continuously observe the network traffic for signs of suspicious patterns, such as outbound connections to known cryptocurrency mining pools, command-and-control (C2) servers, etc.
- Configure network intrusion detection and prevention systems (IDS/IPS) to automatically trigger alarms on potential cryptojacking activities.
Threat hunting:
- Conduct regular threat-hunting exercises to look for signs of compromise or malicious activities related to cryptojacking.
- Analyze system logs, network traffic, process behavior and other telemetry data for indicators of cryptojacking infections.
How to Prevent Cryptojacking Attacks
Prevention strategies include the following:
- Securing cloud and container environments:
- Restrict the behavior of containers and nodes (VMs) at the system level using tools like AccuKnox CNAPP.
- Look for tools that prevent malicious or unknown behaviors in containers by specifying their desired actions through:
- Full lifecycle container security management.
- Combining static and runtime security.
- Automated continuous governance, risk and compliance for CIS, PCI, NIST and MITRE.
- Detailed auditing and container forensics powered by eBPF.
- Software supply-chain security:
- Implement secure software supply chain practices including vulnerability scanning, code analysis and verification of third-party dependencies.
- Implement software security controls like binary authorization and code signing to prevent the tempering of unexecuted codes.
- Account and credential management:
- Use multifactor authentication (MFA) to verify user accounts.
- Restrict their access and implement various least privilege policies.
- Continuously audit and monitor the user groups and accounts for suspicious activities.
- Enable proper offboarding procedures for revoking access.
- Supply chain security:
- Use continuous integration and delivery pipelines within the binary authorization to ensure that only verified images are developed.
- Perform continuous code analysis and vulnerability scanning to detect malicious threats.
- Secrets and key management:
- Change the encryption keys at regular intervals to avoid storing secret keys in local systems.
- Use a highly secure solution like Google Secret Manager to store all your secrets and encryption to offer your system an enhanced layer of security.
- Implement the Cryptomining Protection Program:
- If you are a Google Cloud Security Command Center Premium customer, try joining the Cryptomining Protection Program to offset virtual machine (VM) costs related to undetected cryptojacking attacks. The program provides financial compensation for the computing resources consumed by cryptominers, which may encourage customers to detect and mitigate a variety of threats proactively.
- Reduce internet exposure:
- Restrict your system’s exposure to external traffic. Also, avoid assigning external IPs to containers or VMs wherever possible.
- Implement zero-trust security principles for better device security,
- Secure compute resources:
- Secure the VM images by using trusted image policies.
- Use restricted service accounts and secure shell (SSH) access to monitor computer resources better.
- Keep up with endpoint protection and patching:
- Make sure to deploy strong antimalware solutions. This will automatically detect any cryptojacking malware.
- Patch antimalware software regularly with the latest updates for enhanced performance and security.
How to Respond to Cryptojacking Incidents
If you are the victim of a cryptojacking attack, here are some tips to recover:
- Incident response planning: One of the best ways to deal with cryptojacking incidents is to have a comprehensive incident response plan in advance. The plan should have detailed information on identifying, containing, eradicating and recovering from cryptocurrency mining attacks. Include clear roles, responsibilities and communication channels so you can deal with the cryptojacking incidents in a streamlined manner.
- Educate employees: IT teams rely on employees to inform them when their devices are overheating or running slowly. Employees must have a clear understanding of cybersecurity detection and their responsibilities. They must also know how to avoid clicking on malicious links in emails. This can restrict crypto attacks and protect IT systems from threats.
- Isolate the affected devices: Isolate the affected machines from the IT network or shut them down as soon as possible. This will prevent other devices from being attacked and minimize the impact.
To give your system an extra layer of protection, implement KubeArmor Zero Trust policies. AccuKnox, powered by KubeArmor, is a runtime Kubernetes security engine that leverages eBPF and Linux Security Modules (LSMs) for securing cloud containers and protecting AI-based systems. Try a demo to learn more.