As the world becomes increasingly digital, the use of cloud services has skyrocketed. In the wake of the pandemic, cloud adoption has accelerated even further, making it a critical infrastructure for many organizations. However, with this increased adoption comes a new category of security threats – cryptojacking.
It is reported that the number of cryptojacking attacks targeting cloud infrastructure has been steadily increasing over the past year, with a significant spike in attacks during the pandemic as more businesses shifted to remote work and increased their reliance on cloud services. According to a report by Cybersecurity Ventures, the global cost of cryptojacking is projected to reach $11.5 billion by 2023, highlighting the need for organizations to take proactive measures to protect themselves.
Risks of Cryptojacking in the Cloud
Cryptojacking, also known as crypto mining, is the unauthorized use of an individual’s or organization’s computing power to mine for cryptocurrency. This type of cyberattack is becoming increasingly prevalent in cloud threat landscape and is exploiting misconfigured cloud-account settings to siphon computing power for monetization.
Though cryptojacking campaigns are not yet causing the same level of disruption and destruction as other cyberattacks such as wiper, they are a growing concern for cloud providers and adopters alike. In this article, we will explore the risks and evasion techniques of cryptojacking campaigns targeting cloud infrastructure and the protection measures that are available to defend against them.
The primary risk of cryptojacking in the cloud is the unauthorized use of an organization’s computing power and resources. This can lead to increased costs for cloud services and a decrease in overall performance. Additionally, cryptojacking operation can also lead to data breaches and the exfiltration of sensitive information by monetizing compromised hosts.
Evasion Techniques of Cryptojacking Campaigns
Cryptojacking campaigns are becoming increasingly sophisticated, with attackers using a variety of evasion techniques to avoid detection. Some of the most common evasion techniques include:
- Misconfigured Cloud Settings: Attackers are exploiting misconfigured cloud settings to gain access to an organization’s computing power and resources. This can include weak default security settings and unsecured cloud accounts.
- Serverless Computing and Containers: Cryptojacking campaigns are targeting serverless computing and containers for some years now, as the ease of which cloud resources can be compromised makes them an easy target.
- DNS over HTTPS (DoH): The Denonia malware, for example, employs a protocol that implements DNS over HTTPS (DoH), which sends DNS queries over HTTPS to DoH-based resolver servers. This allows attackers to hide within encrypted traffic, making it difficult for cloud providers to view their malicious DNS lookups.
- Timestamp Manipulation: CoinStomp, a cloud-native malware, uses timestamp manipulation as an anti-forensics technique to evade detection.
Cryptojacking malware can also rely on traditionnal evasion techniques used by other malware families, such as steganography, DLL hijacking or binary padding.
Despite the growing sophistication of cryptojacking campaigns, there are several protection measures available to defend against them. These include:
- Cloud Workload Protection Platforms (CWPPs): CWPPs are designed for the detection and response of cloud-based threats. They can monitor cloud environments for suspicious activity and provide real-time alerts of potential threats.
- Cloud Security Posture Management (CSPM): CSPM solutions are designed to proactively identify and remediate security issues in cloud environments. They can detect misconfigured cloud settings and provide recommendations for secure configuration.
Cloud providers such as Amazon and Microsoft also include security features and functions in their services, such as encryption, identity and access management, and threat detection and response.
The rise of cryptojacking campaigns targeting cloud infrastructure is a growing concern for both cloud providers and adopters. The ease of access to cloud services, combined with weak default security settings and the lack of understanding about the specific risks in the cloud, have made it a prime target for threat actors looking to monetize computing power.
The threat actors are becoming more sophisticated and likely will move from cryptomining to more lucrative attacks in the future, it’s essential for organizations to stay aware of the evolving threat landscape.