Our last blog post on this subject examined how a Cryptojacking attack is launched…
But keep in mind, many attacks are now launched towards cloud based infrastructures as well, which is the focal point of this blog.
Cryptojacking & The Cloud
It is important to keep in mind that the cryptojacker of today is not just out to steal the processing and electrical resources of your individual computer and/or wireless device.
They’re also out to attack the overall cloud infrastructure, as there are many more resources that can be used to launch even stealthier and more covert cryptojacking attacks.
A prime example of this is Tesla.
Tesla is an auto manufacturing company, and have used the Amazon Web Services (AWS) for their cloud infrastructure needs.
In this particular instance, they made use of an open source platform available from Google called the “Kubernetes System”. This is an application which allows for businesses and corporations to completely automate the deployment, scaling, and the management of containerized cloud based applications.
Tesla had deployed the Kubernetes system onto their AWS Platform, but it was not made secure enough (there was no administrative password that was created and implemented) – various Cryptojackers were able to gain access to their overall AWS Environment.
After this was accessed, numerous cryptojacking mining scripts were then covertly installed onto the particular Kubernetes system instances.
As a result of this, the cryptojacker was then able to gain 100% control of Tesla’s AWS processing and electrical resources, and use that to launch multiple cryptojacking attacks.
They were also able to gain access to sensitive information and data, which were located in Tesla’s AWS Simple Storage Service (S3) buckets.
The cryptojackers also used other tactics to avoid detection.
For example, they made use of private Mining Pool Software packages, which was then utilized to instruct the mining scripts to connect to an unlisted endpoint.
By making use of this approach, existing domain and IPI based threat detection systems could not pick up on the cryptojacking activities that were taking place.
Also, the cryptojackers were able to mask the true IP address of the mining pool by hiding them behind a Content Delivery Network known as “CloudFlare.”
They were even able to make use of nonstandard Network Port Numbers to secretly communicate with the hidden IP addresses. This was all done in an effort to keep CPU usage low.
This strategy allowed for any type of suspicious network-based traffic to go undetected for long periods of time.
However, now they are using more advanced techniques such as the exploitation of Zero Day Vulnerabilities and compromising Network Endpoints in order to create Cryptojacking Botnets.
In fact, 80% of organizations that rely upon the AWS or Microsoft Azure to house their IT Infrastructures are at risk of falling victim to a cryptojacking attack.
Although not using a password (or even a weak one for that matter) can be a major cause for these kinds of attacks, the implementation of very poor-quality API Access Rules also exposes root accounts to be further manipulated in order to launch cryptojacking attacks.
As you can see, it can be easy to fall victim to cryptojacking and not even know it. Thus, any time there’s anything that is questionable that shows up within your IT infrastructure, have it checked out.
You just never know what it could be.