When talking about the biggest threats to the cloud, risks like misconfigurations, identity and access concerns and a lack of visibility into data tend to lead the list. But at Google Next23, cryptomining was frequently mentioned as a cloud security issue that is an often overlooked yet increasing threat.
“It’s an easy way for the bad guys to make money,” said Jeff Reed, vice president, product, Google Security, in a conversation at the conference.
For some threat actors, financial gain is the foundation of their cybercriminal activity—it’s all about the money they can make on the initial attack or in the future. But those actors who are not normally financially motivated still need money to fund their cybercriminal operations; actors who are more focused on espionage to shake up the political landscape, for example. That’s partly why there’s been a rise in ransomware attacks; it’s an easy way to make money. And for those threat actors targeting cloud environments, cryptomining is a favored way to bring in money.
In an analysis of cloud breaches, cryptomining is the most prevalent, said Reed. According to last fall’s Google Cybersecurity Action Team’s Threat Horizons Report, 65% of all compromised cloud accounts experienced cryptomining. Because cloud environments are complex, once inside, the threat actor can stay undetected for long periods of time—and the more time inside the cloud, the more cryptocurrency they mine.
Understanding Cloud Cryptomining
Cryptomining as most know it required a lot of hardware, software, computing power and electricity. If your network was cryptojacked, there were tell-tale signs, like an excessive increase in power usage, slow and lagging computing performance and overheating.
By moving to the cloud, cryptomining is more cost effective. “Individuals and organizations can rent cloud computing resources from cloud computing providers like Amazon Web Services (AWS) and Microsoft Azure for cryptomining,” a Splunk blog post explained. Because of the easy scalability of the cloud, cryptominers have a lot more flexibility in how they operate.
All the benefits of cloud-based cryptomining for legitimate miners are what makes it so appealing to threat actors. Once inside the cloud network, the cryptojackers can take over the infrastructure for mining within seconds. They are often able to gain access into cloud accounts through stolen or compromised credentials, allowing the threat actors to remain in stealth mode for long periods of times, sometimes not detected until someone notices the rise in cloud usage costs or unusual poor performance in the applications and devices connected to the cloud network.
While in your cloud network, threat actors aren’t just able to make money from their unauthorized cryptomining. If they’re already established inside your cloud network, they can now launch other types of attacks, ranging from malware to DDoS. They have the upper hand here until they are detected.
Detecting Cryptojacking in the Cloud
Preventing cryptojacking in your cloud environment requires detection tools that rely on behavior and real-time models. Best practices to follow to detect illicit cryptomining include:
• Enabling threat detection services across all projects and devices
• Enabling Stage-0 event detection. Google described Stage-0 events as the first step of cryptomining attacks in the cloud environment.
• Set up cloud DNS logging to monitor traffic across the cloud environment. Also, monitor for unusual spikes in cloud usage.
• Deploy least privilege principles to limit access to cloud applications and use identity management solutions to recognize authentication anomalies.
• Use scanning tools to detect misconfigurations.
• Designate contacts who are responsible for acting on security notifications.
Cryptomining attacks are a serious security problem for organizations, and it is not a coincidence that the spike in cloud-based attacks came as organizations moved more of their production from on-premises to the cloud. It highlights the need for overall cloud security; the more that is done upfront to prevent vulnerabilities that open the cloud to attacks, the better you can protect your network from cryptojacking.