Posts

Mining cryptocurrencies such as Bitcoin, Ethereum and Ripple is one way to make money – quite literally. But to get rich you need a vast amount of powerful and costly computing resources at your disposal.

That explains the phenomenon of browser-based cryptojacking: hackers running mining software on victims’ computers without their knowledge or consent to generate Bitcoin or other currencies, while the victims pick up the tab.

The problem for hackers is that this type of cryptojacking is rarely lucrative: a recent research paper from a German university suggests that malicious websites which execute mining code on visitors’ systems generate an average of less than $6 a day.

To make serious money the bad guys need serious computing resources at their disposal, and there’s one obvious place to find them: public cloud providers.

And that explains a disturbing new trend: hackers (or the bots they control) hunt down vulnerable cloud admin accounts, spin up virtual machines or deploy containers (often via unsecured Kubernetes consoles) and put them to work mining cryptocurrencies for themselves without the account holders knowing. According to research by security firm, RedLock, victims of these types of attacks include high profile companies such as Tesla, Aviva, and Gemalto.

The first inkling that the account owner may have that something is amiss is at the end of the month when they discover that their cloud bill has gone through the roof. Even then it may not be easy to work out exactly what has been going on. Anton Gurov, CloudHealth Technologies’ Director of Technical Operations, recently provided a fascinating insight into these attacks.

Just this year we’ve seen multiple attacks happen with our clients. Typically, it manifests itself as a sharp and unexpected jump in spend and a number of large instance types running at high utilisation.

And it’s not small numbers – all the attacks we’ve seen have run up cloud bills in excess of $50,000.

The hacker could be a criminal or part of an organized crime gang, or they might be an agent of a nation state like North Korea looking to generate much needed cash reserves. This begs the question of what else could they do? If they can compromise a cloud account and spin up servers, they could also snapshot any interesting virtual machines or containers and exfiltrate them to examine at their leisure, or simply extract any interesting data. Once they have got what they want they could then leave a mining operation running to make some money while they move on to the next victim.

Or it may not be a hacker at all who is responsible for the unauthorized usage: a disgruntled ex-employee could have set up a Bitcoin mining operation before leaving to earn some extra cash at the company’s expense, or an opportunist current employee may have set one up on the sly with the expectation that it is unlikely to be detected.

What’s the solution to this problem?

Understanding exactly what cloud resources are being consumed, and what they are doing, is key to detecting any unauthorized usage. But native cost reporting tools in cloud platforms are inadequate, which is where dedicated cost management solutions come in.

Platforms like CloudHealth bring all of your billing data into one location surfacing it via an easy to use web interface enabling you to quickly see abnormal changes in spend in near real time. You can also apply policies, setting an alert if, for example, a monthly bill is forecast to to rise by more than 10%. Policies can also be established to automatically shut down servers that do not confirm to an organisations tagging strategy, another fast reacting process to minimise the cost impact of a hacked cloud account.

This makes it simple to spot any anomalous usage almost immediately, and by drilling down you can identify the source of the extra cost and detect any unauthorized resource usage.

Whilst detecting breaches is a key part of a security strategy, prevention, obviously, is essential. The leading cloud management platforms provide security reviews against best practices enabling you to quickly spot weaknesses that could be exploited and receive recommendations to harden your public cloud accounts.

These include disabling API access to your root account, and enabling multi-factor authentication (MFA) for it. All privileged users and operators should also be required to use MFA. (On AWS, this can be enforced though IAM policy).

CloudHealth’s Gurov provides detailed instructions for protection in his presentation. And it’s not just your production accounts that are at risk, we’ve seen successful attacks against sandbox or dev accounts where typically security controls are weaker.

By using a cloud management platform like CloudHealth and taking some relatively simple but effective steps, you can ensure that your cloud resources are working for you, not mining cryptocurrencies for somebody else.

DALLAS– May 30, 2017 – As an increasing number of organizations migrate to public clouds, the concept of shared security responsibility which dictates the need for Read more

The unfolding Mossack Fonseca revelations will certainly keep us entertained for some time to come: will a British Prime Minister have to admit being the beneficiary of a dubious offshore fund inherited from his father? Will the suspicions of embezzlement around Putin finally be proved? And where are the Americans in all of this?

But looking beyond the immediate fallout, one of the most astonishing issues is how did so much client data get accessed by one person or group of persons?

This is 2016, information security is a well advanced field generally based on the sound principle of “Assume we will be attacked from inside or outside and our data will be targeted”. And on that bedrock assumption security controls are built.

Right now all around the World in law firms large and small the question being asked by the Partners is “Could this happen to us?” An excellent question which is very easy to get to the bottom of.

If your IT or Security team cannot immediately articulate how client data is protected and the controls they have in place to prevent a data breach then the answer can only be “Yes, it could happen to you”. (And if the answer from your IT team features the phrases “It’s on our own servers therefore it’s safe” or “It’s in the Cloud and Amazon/Microsoft/Google protect it with 256-bit encryption” then alarm bells should sound).

Data classification and segregation (when part of robust layered defences) are very effective controls to ensure that if or when a breach occurs the perpetrator only gets some of the family silver not all of it (and when implemented properly they certainly shouldn’t get the high value items).

Quite why these controls were not in place at Mossack Fonseca or why they failed may become clear over time, what is clear though is that if the value of the information is high enough – or the value of the damage that can be wrought with it is attractive enough – then someone will attempt to steal and release that information.

And in the Mossfon case this, in particular, is a an intriguing point to consider.

In obtaining and releasing this information to a worldwide group of investigative journalists the perpetrator(s) of the data leak have put a huge target on their backs. No matter how many $millions they received in exchange (or maybe it was done for genuine purposes) that individual or individuals – whether inside job or external hacker – will forever be looking over their shoulder for the Russian Secret Services, mafia hit men or an aggrieved former Icelandic Prime Minister coming after them.

So if someone is paid well enough or feels strongly enough that information should be released then no matter the personal risk to themselves they will do it.

Of course most law firms are not handling this kind of super-sensitive information but if – say – someone was interested in knowing the details of a commercial property purchase, an M&A bid such that they could out-bid the competitor then one could, with relative ease, find some Russian or Chinese hackers-for-hire or a disaffected employee to go and obtain that data for them.

Our experience is that outside of the Magic Circle, few laws firms have dedicated security teams, and those regional firms who have grown by acquisition and as a result have particularly messy IT are at greater risk. In the absence of dedicated security specialists the issue is left to the IT guys to manage. And – with all due respect – that’s akin to leaving the non-legally qualified Company Secretary or Finance Director to manage all of the company’s legal matters by themselves.

So it could well be that the Mossack Fonseca case becomes the watershed moment that makes every law firm wake up to threat and the reality that a breach of client data is very possible.