What is Crypto Mining? Why is it a threat?
“Cryptocurrency mining (crypto mining) uses the processing power of computers to solve complex mathematical problems and verify digital transactions, and the miners get rewarded with a small amount of cyber currency.”
Source : cyber.gov.au
Cryptojacking is a crime and also a straightforward way for hackers to make money in the public cloud; because all they have to do is find a way into a customers cloud, spin up a lot of high capacity CPU rich servers for mining, and keep making money until the hapless customer detects the breach (mostly after they get an alarming bill from the cloud provider).
“Many recent surveys point out that 99% of misconfigurations in the cloud go unnoticed.“
These commonly prevalent misconfigurations are also why the public cloud is a gold mine for Crypto miners. Utilizing those misconfigurations, miners have unlimited CPU and computing power at their disposal.
Anatomy of a cloud credential breach
We recently interviewed a customer who went through a Service Account Key breach in Google Cloud, resulting in Crypto Mining activities.
We will break down this incident into multiple steps to understand better how attackers can leverage the leaked credentials and, most importantly, how organizations can be better prepared to tackle this scenario (when it happens)
An employee accidentally saved a GCP Service Account Username/Key into his personal GIT Repo.
Shortly thereafter, they got an email from Google stating that a service account compromise had been detected. It gave the following details in the email ( a lifesaver service, we must say – because it dramatically reduces the detection time).
The email clearly highlighted the service account in question and the URL of the public Github repo. It also recommended two steps, including decommissioning the service account, which is a must-do.
Left unchecked, these VMs could have led to tens of thousands of dollars in cloud costs.
This is what the miners target; the probability that most organizations would not have the means or mechanisms to detect and react to these intrusions.
It is money left on the table.
If this happens to me/my-organization, what should we do?
There are multiple factors. The dynamicity of the Public Cloud makes it very difficult to have a baselined and hardened environment.
There are multiple regions associated with every cloud provider. A leaked service account may have permissions to create infrastructure/resources in ALL of those regions. In the web console view of a cloud provider, there is always a regional view of your resources. Hence you would have to switch between regions to identify if there are new compute resources or billable resources spun up in any region.
What if that compromised service account had cross-account permissions? A nightmare scenario if you are part of the cloud administration team. It is not easy when you have hundreds or thousands of accounts/projects.
How do we triage and contain risk?
First, ensure you REVOKE all (or listed) credentials for the compromised Service Account.
Next, instead of panicking, use the Cloud Service Providers IAM Logs to understand the activities performed by the compromised service account.
If you are using GCP (as in this example), check the Stackdriver IAM Audit logs. Filter by the Service Account in question and look for all recent activities. The subsequent filtered list will show newly launched EC2 instances (if any) or other resource creation/deletion/modification activities by that Service Account.
If you identify unauthorized launches, shut them down immediately and inform the cloud provider by raising a ticket. The cloud provider will typically waive any costs incurred via intrusions like these if they are disclosed in a timely basis.
Can it get complicated?
Absolutely – if you don’t have centralized logging for all of your cloud accounts. It then becomes a nightmare for the cloud administrator to wade through all the log files of different cloud accounts and detect compromises.
In the case of AWS, it can get quite messy since attackers typically use Role Chaining to move through your cloud laterally. Detecting and triaging role chaining activities in your cloud accounts and narrowing down to the root event is complex and time consuming.
In this article, we cited the example of “cryptojacking” and how Crypto miners leverage common cloud misconfigurations and misuse public cloud compute resources.
However, a service account breach is in no way limited to Cryptojacking activities. Once an intruder is in – they can inflict catastrophic damages to your cloud infrastructure. They’ll hunt for your crown jewel data, and exfiltrate it or do something as bad as bringing down your running production servers if that Service Account have been granted Admin privileges.
Protecting your cloud from Cryptojacking
How can C3M help mitigate your cloud risks?
The public cloud is designed to be inherently secure. Just configure it securely. Have questions around how to configure your cloud correctly? – Please reach out to firstname.lastname@example.org and one of our Cloud Security SMEs will conduct a FREE 30 min session with your team. No commitment required.