Jumbo2010 - Fotolia

Enterprises wear large targets in cloud cryptomining hacks

Several examples of cryptojacking highlight organizational difficulties -- or outright neglect -- in securing AWS environments. Whether the trend continues is up to enterprise IT.

Data privacy remains a significant cloud concern, as publicly exposed S3 buckets continue to leave many in the AWS community with egg on their faces. But an emerging trend with a catchy name could take the cake in 2018.

Several recent, prominent cases of cryptojacking have placed enterprise security teams on alert. With this type of intrusion, an attacker gains entry to an organization's resources to discreetly mine cryptocurrency for financial gain.

Recent targets for cryptojackers reveal how attackers gain access via unsecured resources. In the case of the Los Angeles Times, attackers exploited an unsecured S3 bucket with write permissions to implement code that siphoned end-user CPU power for cryptomining. With Tesla, an internet-exposed Kubernetes console without password protection allowed an attacker to run cloud cryptomining scripts on Kubernetes instances. Gemalto, a digital security company based in Amsterdam, and Aviva, a British insurance company, also experienced cloud cryptomining attacks within the last year, both resulting from exposed Kubernetes consoles.

Instances of cryptojacking have increased roughly in proportion to the ubiquity and value of cryptocurrency in the last year. RedLock, a cloud security and compliance company in Menlo Park, Calif., claimed 8% of organizations -- a composite figure of RedLock customers and other public companies -- have had cryptojacking attacks take place within their environments; this number will continue to rise due to the numerous ways to exploit cloud environments.

Many enterprises still fail to properly configure their software, said Gaurav Kumar, CTO and head of the RedLock CSI research team. He singled out Kubernetes and Jenkins, a popular open source automation tool, as common targets for cloud cryptomining. In these situations, an AWS environment is just as susceptible as any other public cloud environment -- all with vast arrays of computing options. "An attacker can really exploit this vulnerability and can do much more mining that was otherwise possible [on premises]," he said.

Take a good look at your environment

Cloud security vendors such as RedLock, Evident.io and Alert Logic use a variety of methods to detect and thwart attacks, monitoring network, configuration and audit data to identify unusual activity in a customer's cloud environment.

This multipronged approach is especially important, as attackers employ more sophisticated and elusive techniques to prolong their mining operations. In Tesla's case, the intruder kept CPU usage low, used an atypical port and obscured his or her location behind a public Cloudflare IP address, which can be shared by thousands of users.

Within many enterprises, cloud security teams play catch-up, as dev teams sprint headlong into the cloud. This can create a variety of potential issues regarding comprehension of the AWS shared security model, patch management and automation.

"This is just an extension of existing security problems within an enterprise," said Nick Lewis, program manager for security and identity at Internet2, a nonprofit computer networking consortium based in Ann Arbor, Mich.

While cloud sprawl is a natural challenge for these enterprises and their large workloads, the bigger problem comes from lack of visibility and a proportional lack of personnel investment to secure those environments. "You don't want to have the security team approve everything, because that creates a bottleneck that may be unnecessary," Lewis said. "It's getting security teams up to speed, but it's also having enough resources within these security teams to be able to work on that."

AWS has a variety of security services and features designed to combat a range of security-related threats, including GuardDuty for intelligent threat detection, Inspector for application vulnerability assessment and Macie for a machine-learning-based approach to identify and protect sensitive data. Third-party tools in the AWS Marketplace provide more detailed protection, but it's all for naught if enterprises can't properly secure their cloud environments, which can include outbound traffic restriction and database encryption. This problem becomes increasingly vexing as cloud deployments mature and add high-level services with their own configuration quirks.

As cloud providers launch more services and more rapidly, the chances of something going wrong get higher and higher.

"You cannot blame your bank or mortgage company for not locking the doors on your house," said Andras Cser, principal analyst at Forrester Research. "It's an enterprise problem. The cloud providers such as AWS are trying to decrease the default entitlements and reduce the overprivileged nature of their cloud platforms."

It doesn't stop with cryptojacking

It's essentially the same thing security people have been saying for 30 years: Make sure you apply your patches and keep your systems up to date.
Nick Lewisprogram manager for security and identity at Internet2

Time is a cryptojacker's greatest asset. The longer a polluted VM runs, the more cryptocurrency it can mine, which is why many of these hackers take a stealthy approach.

For example, if an attacker maxes out CPU for a resource, the chances a security team will notice dramatically increase. For this reason, some attackers target many environments at once for cloud cryptomining and leech small amounts of compute power from each. This approach requires less legwork or potential exposure than an attempt to sell sensitive S3 data on the black market.

Cryptojacking is just one method to monetize intrusion into a cloud environment. For example, an attacker could deploy comparatively harmless spam or botnets. They could also take a far more disruptive approach with ransomware that threatens to lock down or delete vital resources in the cloud or back on premises through, for example, Active Directory. Some businesses have already experienced that approach with their S3 data leaks.

"Cryptojacking is one of the problems that a misconfiguration can cause, but beyond that, you're going to have data loss, data breaches and all those other bad things happen," Cser said.

For this reason, RedLock recommends enterprises adjust their thinking -- network intrusion is a matter of when, not if. With that assumption, organizations can apply dedicated approaches to cloud security and implement disaster recovery procedures that reduce a ransomware attack to mere inconvenience.

Still, many enterprises simply enter the cloud running before they can walk. A step back to basics, Lewis said, could do wonders for their network security posture.

"It's essentially the same thing security people have been saying for 30 years: Make sure you apply your patches and keep your systems up to date," Lewis said.

Dig Deeper on AWS infrastructure