How cryptomining is the attack vector du jour – as hackers increasingly target cloud infrastructure

James has more than a decade of experience as a tech journalist, writer and editor, and served as Editor in Chief of TechForge Media between 2017 and 2021. James was named as one of the top 20 UK technology influencers by Tyto, and has also been cited by Onalytica, Feedspot and Zsah as an influential cloud computing writer.

Updated July 30 Cryptojacking is on the way to replacing ransomware as the biggest threat for consumers and enterprises – and new research reveals the size of the effect crypto is having on cloud infrastructures.

Cyber security firm Check Point Software, in its 'Cyber Attack Trends: 2018 Mid-Year Report', found that in the first half of this year, the number of organisations impacted by cryptomining malware doubled to 42%, compared with 20.5% from the second half of 2017.

What's more, the top three most common malware variants in the first half of this year were all cryptominers. At the most recent RSA Conference, the SANS Institute presented its list of the five newest dangerous attack vectors; cloud storage, and data leakage and monetisation of compromised systems via cryptominers both made the list.

The report asserts that 'a number of sophisticated techniques and tools' have been deployed against cloud storage services. Many of these attacks come about due to organisations' own poor security practices, but others, such as cryptomining, are leveraging cloud infrastructure leading to much greater profits for threat actors.

There have been examples of the latter this year. In February, security monitoring firm RedLock disclosed that hackers had been running cryptomining scripts on unsecured Kubernetes instances owned by Tesla. As the researchers put it at the time, the focus has changed from stealing data to stealing compute power in organisations' public cloud environments.

The top cryptominers are Coinhive, which mines the Monero cryptocurrency, has affected 12% of organisations worldwide, Cryptoloot, a JavaScript miner, and JSEcoin, a web-based crypto miner.

The position of the latter in the same malicious bracket as Coinhive et al came as something of a surprise to the company. In an email to CloudTech Matthew Vallis, chief strategy officer at JSEcoin, said the company was ‘in no way affiliated to Coinhive or Monero’, adding that its web-based mining (pdf, whitepaper) was opt-in only. “The only similarity with Monero/Coinhive is that it is browser-based mining,” Vallis wrote. “We are an ethically run and environmentally friendly business that is trying to rectify the damage that [those companies] have done to the industry.”

Maya Horowitz, threat intelligence group manager at Check Point, noted that attacks on cloud infrastructure and cryptomining were the latest generation of cyber attacks, which the company calls 'gen V.' "These multi-vector, fast-moving, large scale Gen V attacks are becoming more and more frequent, and organisations need to adopt a multi-layered cybersecurity strategy that prevents these attacks from taking hold of their networks and data," said Horowitz.

Writing for this publication in May, Paolo Passeri, cyber intelligence principal at Netskope, said that while cryptomining campaigns were becoming bigger and more persistent, organisations could mitigate risk by using several methods. Companies could enforce policies such as scanning all uploads from unmanaged and remote devices to sanctioned cloud applications, to blocking unsanctioned instances of sanctioned cloud apps.

You can read the full report here (email required).

Update: A previous version of this article, based on the original research report, inferred that JSEcoin mined cryptocurrency without users’ consent. This has since been corrected. in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *