James Thew - Fotolia
How to prevent cloud cryptojacking attacks on your enterprise
As the value of bitcoin has risen over the last year, so has the prevalence of cloud cryptojacking attacks. Expert Rob Shapland explains how enterprises can prevent these attacks.
Cybercriminals constantly seek new methods to monetize their attacks. Ransomware and CEO fraud have provided a very reliable source of income in recent years, but the surge in cryptocurrency prices over the last 12 months has led to the development of a new method of generating funds -- cryptojacking.
Instead of installing remote access Trojans or ransomware, cryptojacking hackers install cryptomining software onto vulnerable devices and steal their computing power to generate large volumes of cryptocurrency that can then be traded anonymously.
The most high-profile company known to have been affected by a cloud cryptojacking attack recently is Tesla. Hackers took advantage of a misconfigured cloud administration interface to gain access to Tesla's systems, and then found the password for part of its AWS infrastructure. They then surreptitiously installed cryptomining software to mine bitcoin.
It is unclear how much they were able to mine before Tesla was made aware of the exposed cloud services, but we know of other cloud cryptojacking attacks that have netted millions of dollars.
How to prevent cloud cryptojacking attacks
Preventing cloud cryptojacking attack requires an organization to examine its overall security maturity and cyber resilience.
First, organizations must prevent hackers from finding an easy method to breach their cloud infrastructure. In order to automate the process of installing cryptojacking software, hackers use mass scanners to scour the internet for signatures associated with cloud services that may be misconfigured, such as those that do not require a password. Therefore, the first step for an organization should be to harden its cloud infrastructure and ensure that all its services are protected with strong passphrases, and that multifactor authentication is enabled where possible.
The security of the operating systems and software installed on cloud instances is the organization's responsibility, and endpoint protection should be used on all on-premises devices. This should enable users to detect and quarantine malware, such as cryptominers.
The next step is for the organization to have a method to detect whether the cloud services it employs are being misused. Cryptomining is an intensive process that uses significant computing power. Because cloud usage is charged based on the processing power used, any fluctuations in costs should be flagged. It is possible that this cost change may go unnoticed in a company the size of Tesla due to its large cloud services footprint, but it should be possible for smaller companies and those with precise control of their cloud infrastructure.
Although tracking increases in cloud usage can help detect cryptomining software, organizations can also use network monitoring, which is available by default in the administration console of major IaaS providers. However, this does require that the organization have dedicated staff to track the security of the cloud environments, or that they outsource it to a separate security operations center.
By taking control of large numbers of devices, cybercriminals can outsource the costs associated with the mining process. Compared to other types of cyberattacks, this has a relatively low impact on the victim. However, by combining prevention and detection, it is possible to stop an organization from falling victim to cloud cryptojacking attacks.