To understand cryptojacking, you must first understand how cryptomining works. Cryptomining is the act of using your own compute resources to mine cryptocurrency by contributing computer processing power to get paid in cryptocurrency to validate blockchain transactions.
Cryptojacking occurs when malicious actors take control of a victim’s computing resources to secretly mine cryptocurrency for their benefit – it is much more profitable for the attackers since they don’t have to pay for the compute. Any type of cryptocurrency can be mined for cryptojacking attacks, but it’s usually Monero due to the difficulty in tracing transactions, and the fact that it can be more easily mined on CPU resources rather than GPU.
These attacks are not new but are growing in prevalence and severity. As cryptocurrencies continue to gain popularity and value, so does the incentive for cybercriminals to exploit unsuspecting victims for financial gain. In this article, we’ll delve into how cryptojacking works, and the risks it poses, and share strategies and specific detections to identify attempts and neutralize efforts.
Cloud cryptojacking poses a severe threat to almost every business reliant on cloud-based infrastructure. Attackers exploit exposed cloud credentials, using sophisticated automation to launch attacks. These attacks can easily go undetected for weeks, months, or even years. Recently, Ukrainian police arrested a 29-year-old hacker believed to have illicitly mined over $2 million in cryptocurrency over the past two years.
Attackers target major cloud infrastructure providers such as AWS, Azure, and Google Cloud Platform, as well as smaller, potentially less secure providers, so no environment is immune. There are multiple methods to launch an attack, ranging from Browser-based JavaScript code (often embedded inside of an inline ad on a page), to Malware-based Cryptojacking, which **can quickly and easily infect an entire network. Once installed, this malware runs silently in the background, hijacking system resources to mine cryptocurrencies. Malware-based cryptojacking poses a greater threat than browser-based methods, as it can persist even after the user navigates away from the initial infection source, and will be the focus of this article.
Regardless of the method employed, the ultimate goal of cryptojacking is to generate cryptocurrency for the attacker while consuming the victim’s computing resources without their consent. Palo Alto’s Unit42 did an in-depth analysis of a fully automated cryptojacking campaign, where threat actors were programatically scanning GitHub repos for exposed AWS API keys, then using those keys to gain access to AWS accounts where they would spin up costly EC2 instances to mine Monero. Microsoft released a report about a similar campaign targeting Azure environments, where VMs were spun up to mine crypto in victim environments. Web servers are also a common target due to their exposed attack surface and the inherent vulnerabilities, or misconfigurations, of web server software like apache. Cryptojacking is such a prevalent attack vector that GCP recently launched a cryptomining protection program, essentially a $1 million insurance policy against cryptojacking attacks.
Beginning in Q3 2023, security researchers started to observe patterns of high-volume, automated attacks [T1593.003] to harvest exposed credentials from code repositories [T1552.001] and use those credentials [T1078.004] to create cloud computing resources with the goal of mining cryptocurrency [T1496]. More specifically, threat actors were programmatically scanning GitHub repos for exposed AWS API keys, then using those keys to gain access to AWS accounts where they would spin up costly EC2 instances to mine Monero.
While not as disruptive to business operations as other types of attacks like ransomware [T1486], cryptojacking often goes unnoticed [T1535] by victims and can cost them more than $10,000/day in cloud computing fees.
Financially motivated attackers – ranging from individuals like the aforementioned Ukrainian hacker who was arrested after cryptojacking $2 million worth of cryptocurrency, to nation-state-backed organizations like DPRK’s Lazarus Group – see cryptojacking as a low risk/high-reward technique to convert their hacking skills into cash [T1657].
Below is a killchain analysis, and several keep steps you can take to audit and mitigate risks.
Panther customers can receive protection from this type of sophisticated attack through our library of detections found on Github.
Cryptomining and cloud attacks have common patterns and telemetry that they generate. Let’s dive into the specifics of each, and their intersection for ideas on how to detect these threats in our cloud environments.
Cryptomining
Cloud Attacks
Python-based detections as code (DaC) will help transform threat detection by applying software engineering principles to cybersecurity.
DaC facilitates swift adaptation to evolving threats like cloud cryptojacking. Security teams can efficiently customize and enhance detection rules specific to cryptojacking, maintaining a vigilant defense against sophisticated tactics. Seamless integration with DevOps and infrastructure-as-code pipelines embeds security throughout the technology stack, from code development in GitHub logs to deployment in AWS logs, strengthening defenses against emerging threats like cryptojacking.
Swift and intuitive security investigations are paramount in effectively addressing emerging threats like cryptojacking. As the cybersecurity landscape continually evolves, the ability to rapidly and seamlessly investigate potential threats becomes a linchpin for maintaining the integrity of digital environments. Every second matters during an investigation and your tools should support a rapid search experience with intuitive, easy-to-interpret results.
Emerging threats like cloud cryptojacking often employ sophisticated and ever-changing tactics, strengthening the need for agility and adaptation in both threat detection and response. Swift investigations enable security teams to stay ahead of the curve, identifying and mitigating potential risks before they escalate. Leveraging a flexible, cost-effective security data lake delivers both budget savings and increased performance for even more efficient investigations. Furthermore, intuitive search results ensure that security analysts can quickly comprehend and react accurately to threats, reducing the window of vulnerability and fortifying overall cybersecurity resilience.
Check our a recent webinar where our threat research team walks through the use of these detections and discuss best practices for detecting and responding to potential risks of cryptojacking. During this session, our team highlights the use of key Panther capabilities such as Cross-log source search and leveraging correlation rules, and we leveraged Realtime detection and AI summarization to accelerate potential response.
Cryptojacking poses a significant threat to cloud environments, exploiting computational resources for unauthorized cryptocurrency mining. The risks include financial loss, performance degradation, data security and reputation damage. To mitigate these risks, we recommend that you adopt proactive security measures, including regular audits, least privilege access controls, monitoring, anti-malware solutions, and timely system updates. By implementing these strategies and deploying real-time detections, you can safeguard your infrastructure against the growing risks of cryptojacking and maintain the integrity and availability of your cloud resources.
If you benefit from Panther’s threat research content, please share this post with others online. Bookmark this page, as we post regular, non-sales, educational content and combine it with hands-on workshops designed to help you become a better-educated, more capable security practitioner.
