But that’s just the tangible cost of a cryptocurrency-mining attack. There are also indirect consequences that an affected organization might encounter, such as the disruption and slowdown of operations that could result in loss of revenue or even damage to the reputation of the organization because of the inconveniences brought upon its customers.
The major players in the cloud-based cryptocurrency mining landscape are diverse in terms of their tools, techniques, and even the way they interact with the public. While some of these groups are more basic in their approach, others are constantly refining their ability to exploit vulnerabilities and other gaps in security to enter target systems.
On one hand, there’s Outlaw, which prefers to stick with what it knows — compromising internet-of-things (IoT) devices and Linux servers via brute-force attacks or by exploiting known vulnerabilities — and add only minor changes to its campaigns. On the other hand, TeamTNT, a malicious actor group that relies heavily on credential theft for lateral movement and abusing configured services, has been steadily improving its sophistication. Other groups, including prolific ones such as Kinsing and 8220, use tools like rootkits and botnets, while also having a sizeable pool of exploitable vulnerabilities.
A large part of what drives cloud-based cryptocurrency-mining groups to evolve is competition with one another. Since cloud instances count as limited resources, each group has to ensure that its cryptocurrency miner is the one that is using up these resources. It’s therefore not surprising that the skills and infrastructures of some malicious actors in this sphere are quite advanced.
On its own, cryptocurrency mining has relatively small profit margins because the currency earned via mining is offset by resource expenditure. Illicit mining alleviates this by offloading all costs onto the victim, allowing the attacker to reap the full benefits of the mining process. But the true monetary gains could come from secondary markets: More advanced malicious actors could use their resources to act as access brokers, offering their infrastructures, tools, and services to other actors who could come in and do more extensive damage.
In any case, organizations shouldn’t take the presence of cryptocurrency-mining malware in a system only at face value that there is malware in the system. Organizations should also consider what it means in terms of their cloud security. The presence of cryptocurrency-mining activities should be a warning sign — the proverbial canary in a coal mine — to organizations that their cloud infrastructures are vulnerable to attacks. They should take the detection of cryptocurrency mining seriously since this might be the only time that they might be able to respond while the actual impact is still relatively minimal.
Fortunately, organizations can take proactive measures to bridge the security gaps in their cloud deployments. These range from following general security and cloud best practices such as timely patching and avoiding cloud API exposure to the internet, to specific recommendations such as implementing rules that monitor systems for any red flags. Cloud security products can also assist organizations with filtering their network traffic to minimize attack surfaces.
To learn more about the cloud-based cryptocurrency-mining threat landscape, read our full report “A Floating Battleground: Navigating the Landscape of Cloud-Based Cryptocurrency Mining.”
Read More HERE