Mining cryptocurrencies such as Bitcoin, Ethereum and Ripple is one way to make money – quite literally. But to get rich you need a vast amount of powerful and costly computing resources at your disposal.
That explains the phenomenon of browser-based cryptojacking: hackers running mining software on victims’ computers without their knowledge or consent to generate Bitcoin or other currencies, while the victims pick up the tab.
The problem for hackers is that this type of cryptojacking is rarely lucrative: a recent research paper from a German university suggests that malicious websites which execute mining code on visitors’ systems generate an average of less than $6 a day.
To make serious money the bad guys need serious computing resources at their disposal, and there’s one obvious place to find them: public cloud providers.
And that explains a disturbing new trend: hackers (or the bots they control) hunt down vulnerable cloud admin accounts, spin up virtual machines or deploy containers (often via unsecured Kubernetes consoles) and put them to work mining cryptocurrencies for themselves without the account holders knowing. According to research by security firm, RedLock, victims of these types of attacks include high profile companies such as Tesla, Aviva, and Gemalto.
The first inkling that the account owner may have that something is amiss is at the end of the month when they discover that their cloud bill has gone through the roof. Even then it may not be easy to work out exactly what has been going on. Anton Gurov, CloudHealth Technologies’ Director of Technical Operations, recently provided a fascinating insight into these attacks.
Just this year we’ve seen multiple attacks happen with our clients. Typically, it manifests itself as a sharp and unexpected jump in spend and a number of large instance types running at high utilisation.
And it’s not small numbers – all the attacks we’ve seen have run up cloud bills in excess of $50,000.
The hacker could be a criminal or part of an organized crime gang, or they might be an agent of a nation state like North Korea looking to generate much needed cash reserves. This begs the question of what else could they do? If they can compromise a cloud account and spin up servers, they could also snapshot any interesting virtual machines or containers and exfiltrate them to examine at their leisure, or simply extract any interesting data. Once they have got what they want they could then leave a mining operation running to make some money while they move on to the next victim.
Or it may not be a hacker at all who is responsible for the unauthorized usage: a disgruntled ex-employee could have set up a Bitcoin mining operation before leaving to earn some extra cash at the company’s expense, or an opportunist current employee may have set one up on the sly with the expectation that it is unlikely to be detected.
What’s the solution to this problem?
Understanding exactly what cloud resources are being consumed, and what they are doing, is key to detecting any unauthorized usage. But native cost reporting tools in cloud platforms are inadequate, which is where dedicated cost management solutions come in.
Platforms like CloudHealth bring all of your billing data into one location surfacing it via an easy to use web interface enabling you to quickly see abnormal changes in spend in near real time. You can also apply policies, setting an alert if, for example, a monthly bill is forecast to to rise by more than 10%. Policies can also be established to automatically shut down servers that do not confirm to an organisations tagging strategy, another fast reacting process to minimise the cost impact of a hacked cloud account.
This makes it simple to spot any anomalous usage almost immediately, and by drilling down you can identify the source of the extra cost and detect any unauthorized resource usage.
Whilst detecting breaches is a key part of a security strategy, prevention, obviously, is essential. The leading cloud management platforms provide security reviews against best practices enabling you to quickly spot weaknesses that could be exploited and receive recommendations to harden your public cloud accounts.
These include disabling API access to your root account, and enabling multi-factor authentication (MFA) for it. All privileged users and operators should also be required to use MFA. (On AWS, this can be enforced though IAM policy).
CloudHealth’s Gurov provides detailed instructions for protection in his presentation. And it’s not just your production accounts that are at risk, we’ve seen successful attacks against sandbox or dev accounts where typically security controls are weaker.
By using a cloud management platform like CloudHealth and taking some relatively simple but effective steps, you can ensure that your cloud resources are working for you, not mining cryptocurrencies for somebody else.