Organizations’ on-premise and cloud-based servers are compromised, abused and rented out as part of a sophisticated criminal monetization lifecycle, Trend Micro research finds.
The findings come from a report looking at how the underground hosting market operates. The findings show that cryptocurrency mining activity should be the indicator for IT security teams to be on high alert.
Cryptomining activity used to monetize compromised servers
While cryptomining activity may not cause disruption or financial losses on its own, mining software is usually deployed to monetize compromised servers that are sitting idle while criminals plot larger money-making schemes. These include exfiltrating valuable data, selling server access for further abuse, or preparing for a targeted ransomware attack.
Any servers found to contain cryptominers should be flagged for immediate remediation and investigation.
“From dedicated bulletproof hosting to anonymizing services, domain name provision and compromised legitimate assets, the cybercriminal underground boasts a sophisticated range of infrastructure offerings to support monetization campaigns of all types,” said Bob McArdle, director of forward-looking threat research for Trend Micro.
“Our goal is to raise awareness and understanding of cybercriminal infrastructure to help law enforcement agencies, customers and other researchers block avenues for cybercrime and drive costs up for threat actors.”
Cloud servers particularly exposed
Cloud servers are particularly exposed to compromise and use in underground hosting infrastructure as they may be lacking the protection of their on-premises equivalents.
McArdle continued, “Compromised legitimate corporate assets can be infiltrated and abused whether on-premise or in the cloud. A good rule of thumb is that whatever is most exposed is most likely to be exploited.”
Cybercriminals might look to exploit vulnerabilities in server software, use brute-force attacks to compromise credentials, or steal logins and deploy malware via phishing attacks. They may even target infrastructure management software (cloud API keys), which allows them to create new instances of virtual machines or supply resources.
Once compromised, these cloud server assets could be sold on underground forums, dedicated marketplaces and even social networks for use in a range of attacks.