Critical Steps To Detect and Prevent Cryptojacking In Your Cloud Infrastructure

To understand cryptojacking, you must first understand how cryptomining works. Cryptomining is the act of using your own compute resources to mine cryptocurrency by contributing computer processing power to get paid in cryptocurrency to validate blockchain transactions.

Cryptojacking occurs when malicious actors take control of a victim’s computing resources to secretly mine cryptocurrency for their benefit – it is much more profitable for the attackers since they don’t have to pay for the compute. Any type of cryptocurrency can be mined for cryptojacking attacks, but it’s usually Monero due to the difficulty in tracing transactions, and the fact that it can be more easily mined on CPU resources rather than GPU.

These attacks are not new but are growing in prevalence and severity. As cryptocurrencies continue to gain popularity and value, so does the incentive for cybercriminals to exploit unsuspecting victims for financial gain. In this article, we’ll delve into how cryptojacking works, and the risks it poses, and share strategies and specific detections to identify attempts and neutralize efforts.

Growing Risks

Cloud cryptojacking poses a severe threat to almost every business reliant on cloud-based infrastructure. Attackers exploit exposed cloud credentials, using sophisticated automation to launch attacks. These attacks can easily go undetected for weeks, months, or even years. Recently, Ukrainian police arrested a 29-year-old hacker believed to have illicitly mined over $2 million in cryptocurrency over the past two years.

Attackers target major cloud infrastructure providers such as AWS, Azure, and Google Cloud Platform, as well as smaller, potentially less secure providers, so no environment is immune. There are multiple methods to launch an attack, ranging from Browser-based JavaScript code (often embedded inside of an inline ad on a page), to Malware-based Cryptojacking, which **can quickly and easily infect an entire network. Once installed, this malware runs silently in the background, hijacking system resources to mine cryptocurrencies. Malware-based cryptojacking poses a greater threat than browser-based methods, as it can persist even after the user navigates away from the initial infection source, and will be the focus of this article.

Regardless of the method employed, the ultimate goal of cryptojacking is to generate cryptocurrency for the attacker while consuming the victim’s computing resources without their consent. Palo Alto’s Unit42 did an in-depth analysis of a fully automated cryptojacking campaign, where threat actors were programatically scanning GitHub repos for exposed AWS API keys, then using those keys to gain access to AWS accounts where they would spin up costly EC2 instances to mine Monero. Microsoft released a report about a similar campaign targeting Azure environments, where VMs were spun up to mine crypto in victim environments. Web servers are also a common target due to their exposed attack surface and the inherent vulnerabilities, or misconfigurations, of web server software like apache. Cryptojacking is such a prevalent attack vector that GCP recently launched a cryptomining protection program, essentially a $1 million insurance policy against cryptojacking attacks.

Attack Scenario

Beginning in Q3 2023, security researchers started to observe patterns of high-volume, automated attacks [T1593.003] to harvest exposed credentials from code repositories [T1552.001] and use those credentials [T1078.004] to create cloud computing resources with the goal of mining cryptocurrency [T1496]. More specifically, threat actors were programmatically scanning GitHub repos for exposed AWS API keys, then using those keys to gain access to AWS accounts where they would spin up costly EC2 instances to mine Monero.

While not as disruptive to business operations as other types of attacks like ransomware [T1486], cryptojacking often goes unnoticed [T1535] by victims and can cost them more than $10,000/day in cloud computing fees.

Financially motivated attackers – ranging from individuals like the aforementioned Ukrainian hacker who was arrested after cryptojacking $2 million worth of cryptocurrency, to nation-state-backed organizations like DPRK’s Lazarus Group – see cryptojacking as a low risk/high-reward technique to convert their hacking skills into cash [T1657].

Kill Chain Analysis

Below is a killchain analysis, and several keep steps you can take to audit and mitigate risks.

  • Search Code Repositories [T1593.003]: Threat actors use automated scripts to clone GitHub repos to search for exposed AWS credentials.
  • Credentials in Files [T1552.001]: When exposed credentials are discovered, the threat actors quickly pivot into the target AWS account. Since this process is fully automated, it can take as little as 4 minutes from the GitHub clone to the AWS login.
  • Valid Cloud Accounts [T1078.004]: Once inside the AWS account, the threat actors start by enumerating the privileges of their newly compromised account to ensure it has the necessary permissions to achieve their goals.
  • Resource Hijacking [T1496]: New EC2 instances are launched with startup scripts to run cryptomining software.  Many large instances are created in a short period of time and start communicating with cryptomining domains.

Detection And Response: Steps And Best Practices

Panther customers can receive protection from this type of sophisticated attack through our library of detections found on Github.

Cryptomining and cloud attacks have common patterns and telemetry that they generate.  Let’s dive into the specifics of each, and their intersection for ideas on how to detect these threats in our cloud environments.

Cryptomining

  • Miner software
    • Miner software has unique file hashes that can be detected by EDR or antivirus software. Cryptojacking attacks usually spin up new resources without these protections, so they can be harder to detect. Web server attacks might have EDR/AV to catch cryptojacking early, so make sure web servers are adequately protected.
  • High compute
    • Cryptomining is very compute-intensive, usually maxing out the resources on the target machine. Most cryptocurrencies must use GPU resources to be efficient, but some like Monero can be mined on CPU. Which is why Monero is the primary coin mined in cryptojacking attacks – cloud resources and web servers usually don’t have GPUs. Observability software can help detect large spikes in resource utilization.
  • High Volume data transfer
    • Downloading new blocks to solve, uploading solved blocks. Distributing the blockchain to the peer2peer network. Can be multiple Terabytes in/out per month. Monitor for large spikes in data transfer.
  • Network communication to cryptomining pool domains
    • Search for DNS requests to known cryptomining domains.
  • Common ports for mining protocols
    • Cryptomining pools use specific ports, but most of the time ports are used by other legitimate protocols. So this is, in fact possible to detect, but could be prone to false positives.

Cloud Attacks

  • Exposed API keys or credentials
    • API keys in GitHub repos can usually be detected by GitHub’s secret scanning feature, which notifies AWS and applies a AWSCompromisedKeyQuarantine policy to the compromised keys.
  • Enumerating privileges
    • Once an attacker gains access to a new cloud environment, the first thing they will usually do is enumerate what permissions they have.
  • Creating compute resources
    • For cryptojacking, look for many high-compute instances created in a short period. Attackers know they will be caught sooner or later, so they will try to maximize the mining output.
  • Modifying startup scripts
    • A common technique for many cloud attacks is to modify the startup scripts of VMs/EC2 instances, so that scripts run on startup and persist between reboots. This is used in cryptojacking and cloud ransomware attacks.
  • Data egress
    • Another common technique for many cloud attacks, whether exfiltrating sensitive data or communicating with cryptomining pools.

Leveraging Detections As Code (DaC) To Enhance Threat Detection

Python-based detections as code (DaC) will help transform threat detection by applying software engineering principles to cybersecurity.

DaC facilitates swift adaptation to evolving threats like cloud cryptojacking. Security teams can efficiently customize and enhance detection rules specific to cryptojacking, maintaining a vigilant defense against sophisticated tactics. Seamless integration with DevOps and infrastructure-as-code pipelines embeds security throughout the technology stack, from code development in GitHub logs to deployment in AWS logs, strengthening defenses against emerging threats like cryptojacking.

Improving Speed of Cryptojacking Investigations

Swift and intuitive security investigations are paramount in effectively addressing emerging threats like cryptojacking. As the cybersecurity landscape continually evolves, the ability to rapidly and seamlessly investigate potential threats becomes a linchpin for maintaining the integrity of digital environments. Every second matters during an investigation and your tools should support a rapid search experience with intuitive, easy-to-interpret results.

Emerging threats like cloud cryptojacking often employ sophisticated and ever-changing tactics, strengthening the need for agility and adaptation in both threat detection and response. Swift investigations enable security teams to stay ahead of the curve, identifying and mitigating potential risks before they escalate. Leveraging a flexible, cost-effective security data lake delivers both budget savings and increased performance for even more efficient investigations. Furthermore, intuitive search results ensure that security analysts can quickly comprehend and react accurately to threats, reducing the window of vulnerability and fortifying overall cybersecurity resilience.

Watch On Demand

Check our a recent webinar where our threat research team walks through the use of these detections and discuss best practices for detecting and responding to potential risks of cryptojacking. During this session, our team highlights the use of key Panther capabilities such as Cross-log source search and leveraging correlation rules, and we leveraged Realtime detection and AI summarization to accelerate potential response.

Conclusion

Cryptojacking poses a significant threat to cloud environments, exploiting computational resources for unauthorized cryptocurrency mining. The risks include financial loss, performance degradation, data security and reputation damage. To mitigate these risks, we recommend that you adopt proactive security measures, including regular audits, least privilege access controls, monitoring, anti-malware solutions, and timely system updates. By implementing these strategies and deploying real-time detections, you can safeguard your infrastructure against the growing risks of cryptojacking and maintain the integrity and availability of your cloud resources.

If you benefit from Panther’s threat research content, please share this post with others online. Bookmark this page, as we post regular, non-sales, educational content and combine it with hands-on workshops designed to help you become a better-educated, more capable security practitioner.

Table of Contents

Recommended Resources

Escape Cloud Noise. Detect Security Signal.
Request a Demo