A few years back, cryptojacking and cryptomining emerged as
relatively low-effort ways to profit by hijacking another’s computing
resources. Today, cloudjacking and cloud mining capitalize on similar
principles, only by targeting the near infinite resources of the cloud to
generate revenue for attackers. Knowing this growing threat is key to maintaining
cyber resilience.
Enterprise-level organizations make especially attractive
cloudjacking targets for a few reasons. As mentioned, the computing power of
cloud networks is effectively limitless for all but the most brazen
cybercriminals.
Additionally, excess electricity consumption, one of the
most common tipoffs for smaller scale cryptojacking attacks, often goes
unnoticed at the scale large corporations are used to operating. The same goes
for CPU.
Careful threat actors can also throttle back the amount of
resources they’re ripping off—when attacking a smaller organization, for
instance—to avoid detection. Essentially, the resources stolen at any one time in
these attacks are a drop in the Pacific Ocean to their largest targets. Over
time, though, and depending on particulars of a usage contract, the spend for
CPU used can really add up.
“Hackers have definitely transitioned away from launching
ransomware attacks indiscriminately,” says Webroot threat analyst Tyler
Moffitt. “It used to be, ‘everybody gets the same payload, everyone has the
same flat-rate ransom.’
“That’s all changed. Now, ransomware actors want to go after
businesses with large attack surfaces and more pocketbook money than, say,
grandma’s computer to pay if they’re breached. Cloud is essentially a new
market.”
High-profile cloudjacking incidents
Arguably the most famous example of cloudjacking, at least
in terms of headlines generated, was a 2018
attack
on the electric car manufacturers Tesla. In that incident,
cybercriminals were discovered running malware to leech the company’s Amazon
Web Service cloud computing power to mine cryptocurrency.
Even with an organization of Tesla’s scale, the attackers reportedly
used a throttling technique to ensure their operations weren’t uncovered.
Ultimately, they were reported by a third-party that was compensated for their
discovery.
More recently, the hacking group TeamTNT developed a worm
capable of stealing AWS credentials and implanting
cloudjacking malware on systems using the cloud service. It does this by
searching for accounts using popular development tools, like Docker or
Kubernets, that are both improperly configured and running AWS, then
performing a few simple searches for the unencrypted credentials.
TeamTNT’s total haul remains unclear, since it can spread
it’s ‘earnings’ across multiple crypto wallets.
The fear though, now that a proven tactic for lifting AWS credentials is
out in the wild, is that misconfigured cloud accounts will become prime targets
for widespread illicit cloud mining.
SMBs make attractive targets, too
Hackers aren’t just launching cloudjacking attacks
specifically against storage systems and development tools. As with other
attack tactics, they often see MSPs and small and medium-sized businesses
(SMBs) as attractive targets as well.
“Several attacks in the first and second quarters of 2019
involved bad actors hijacking multiple managed service providers,” says
Moffitt. “We saw that with Sodonakibi and GrandCrab. The same principles apply
here. Hacking a central, cloud-based property allows attackers to hit dozens
and potentially hundreds of victims all at once.”
Because smaller businesses typically share their cloud
infrastructure with other small businesses, compromising cloud infrastructure
can provide cybercriminals with a trove of data belonging to several concerned
owners.
“The cloud offers an attractive aggregation point as it
allows attackers access to a much larger concentration of victims. Gaining
access to a single Amazon web server, for instance, could allow threat actors
to steal and encrypt data belonging to dozens of companies renting space on
that server hostage,” says Moffitt.
High-value targets include confidential information like
mission-critical data, trade secrets, unencrypted tax information or customer
information that, if released, would violate privacy laws like GDPR and CCPA.
Some years ago, smaller businesses may have escaped these
cloud compromises without too much disruption. Today, the data and services
stored or run through the cloud are critical to the day-to-day even for SMBs.
Many businesses would be simply crippled should they lost access to public or
private cloud assets.
The pressure to pay a ransom, therefore, is significantly
higher than it was even three years ago. But ransoms aren’t the only way for
malicious actors to monetize their efforts. With cloud mining, they can get
right to work making cryptocurrency while evading notice for as long as
possible.
How to protect against cloudjacking and cloud mining
Moffitt recommends using “versioning” to guard against
cloudjacking attacks. Versioning is the practice of serializing unalterable
backups to prevent them from being deleted or manipulated.
“That means not just
having snapshot or history copies—that’s pretty standard—since with ransomware
we’ve seen actors encrypt all of those copies. So, my suggestion is
creating immutable backups. It’s called versioning, but these are essentially
snapshot copies that can never be edited or encrypted.”
Moffitt says many service providers have this capability,
but it may not be the default and need to be switched on manually.
Two more tactics to adopt to defend against cloud jacking
involve monitoring your configurations and monitor your network traffic. As
we’ve seen, capitalizing on misconfigured AWS infrastructure is one of the more
common ways for cybercriminals to disrupt cloud services.
Security oversight of devops teams setting up cloud
applications is crucial. There are tools available that can automatically
discover resources as soon as they’re created, determine the applications
running on the resource and apply appropriate policies based on the resource
type.
By monitoring network traffic and correlating it with
configuration data, companies are able to spot suspicious network traffic being
generated as they send work or hashes to public mining pools that are public
and could help identify where mining is being directed.
There tends to be a learning curve when defending against
emerging attacks. But if businesses are aware of how cloud resources are
manipulated by threat actors, they can be on guard against cloudjacking by
taking a few simple steps, increasing their overall cyber resilience.
/https://specials-images.forbesimg.com/imageserve/5fece0173b828078972de971/0x0.jpg?cropX1=28&cropX2=5760&cropY1=0&cropY2=3224)
