Your cybersecurity forecast: partly cloudy with a chance of crypto.
As cloudjacking is becoming more widespread, it’s being combined with cryptojacking to mine cryptocurrency undetected.
Cloudjacking is the act of stealing processing and storage from someone else’s cloud account, and cryptojacking is the act of forcing the stolen computer to mine cryptocurrency. Together, the two hacking methods can be used to mine cryptocurrency for free, while the cloud account owner unknowingly pays the bill—often for weeks or months.
Aviva, Gemalto and Tesla are recent cloudjacking victims
The RedLock Cloud Security Intelligence team recently found hundreds of Kubernetes administration consoles accessible without password protection. According to RedLock, “A couple of the instances belonged to Aviva, a British multinational insurance company, and Gemalto, the world’s largest manufacturer of SIM cards.” These instances were cloudjacked in order to run cryptocurrency miners.
The most notable cloudjacking case to date was the infiltration of the Kubernetes console owned by Tesla. Not only did attackers have access to telemetry data from customers’ cars, they were also able to load cryptomining software and make money directly.
Typically, the cryptocurrency Monero is mined rather than Bitcoin. Monero offers a higher level of anonymity, and most importantly, has been optimized to be mined on ordinary general purpose CPUs, rather than requiring expensive graphics cards or ASIC devices. This makes it ideal for cloudjacking and mining.
The use of technologies like Kubernetes and Docker have also allowed cloud services to easily scale to massive numbers of VMs, providing attackers the opportunity to hide in the shadows and quietly mine cryptocurrencies unobserved.
How Tesla was attacked
The Tesla hijackers were quite sophisticated. The attackers ran their own mining pool software (to aggregate the work of multiple miners), and hid the IP addresses behind CloudFlare, a content delivery network. Then they used non-standard port numbers to communicate to these hidden IP addresses. Taken together, these measures effectively hid their activities from typical intrusion detection and firewall systems. Finally, the hijackers throttled the mining software to run more conservatively, so they would not trip high-usage detectors. All of these steps enabled the hijackers to mine undetected for months.
As these instances have been uncovered, they’ve all been immediately mitigated. However, this is becoming a widespread phenomenon and there are probably many other cloud accounts that have been hijacked and remain undetected. Maybe even your account.
How to ensure your cloud accounts are secure
The first thing you need to do is recognize that even though you may have outsourced compute and storage resources to a cloud provider, you are still responsible to make sure it is implemented securely. Experts routinely notice some common security mistakes in cloud deployments. Knowing how to prevent them can make your cloud instance much more secure. Don’t just accept defaults in cloud instances and management systems. Often, you may be offered, but not forced, to use more secure processes for encryption, certificates, and authentication. Use them.
Secondly, most of these instances of account hijacking can be traced to compromised credentials. Make sure you manage credentials in the cloud as strictly as any credentials in your organization.
Finally, keep a close eye on your inventory of VMs in the cloud, and shut down those that are not in use. Not only will this save you money, but it will make it easier to detect hijacked instances.
Most importantly, educate your personnel on the proper design, management and security of cloud infrastructure. Proper education can prevent these types of situations in the first place.