Believing you are immune from cryptomining attacks is a fallacy.
There is currently a large shift happening in the form of cyber attack suffered, from ransomware over to cryptomining attacks.
Cryptomining attacks result in untold profits for cybercriminals and can run for very long periods of time undetected. Lawful cryptomining itself can be a profitable business, but those profits ramp up when you are not paying for the hardware or facing the electricity bills that result.
Researchers at RedLock have released their February 2018 Cloud Security Trends report, stating “The soaring value of cryptocurrencies is prompting hackers to shift their focus from stealing data to stealing compute power in an organization’s public cloud environment. The nefarious network activity is going completely unnoticed due to a lack of effective network monitoring.”
It has been recently revealed that Tesla has fallen victim to cyber criminals generating cash through cryptomining attacks. The researchers said they discovered the intrusion while trying to determine which organization left credentials for an Amazon Web Services (AWS) account open to the public Internet. “Essentially, hackers were running crypto mining scripts on Tesla’s unsecured Kubernetes instances,” said researchers. “To conceal their identity, the scripts were connecting to servers that reside behind CloudFlare, a content delivery network.” Threat actors kept the CPU usage low to avoid suspicion and hid the true IP address of the cryptomining pool. This made it difficult for domain and IP-based threat detection systems to identify the activity.
So, who is at fault for this breach? Some say Tesla should have a better awareness of Threat Actors and more procedures in place to deal with this, but the reality is that both should share the responsibility. Amazon could also do more, as these attacks are becoming more frequent and security has not been improved in this area. There are still many organisations that have unsecured or inadequately configured servers suggesting it is only a matter of time before more of these attacks succeed. For many the best solution is advanced threat detection software that operates in real time and can detect zero-day attacks
If Amazon were to implement further security measures this still does not absolve customers of their responsibility to keep on top of regular monitoring, service scans or change management within their infrastructure. If credentials are used to access AWS services then it is very challenging to determine if their use is legitimate meaning customers have a heavy responsibility to keep their data secure.
What does this mean to you?
Well, at a basic level every organisation needs to ensure that regular scanning and reporting is discussed in weekly meetings between stakeholders, and processes are up to date and correctly implemented.
The risk is real and the results can be incredibly damaging to most organisations, but with correct cybersecurity, information policies and best practices taught through cybersecurity awareness training, this risk can be minimized.