Cybercrime as a business model

The targeted abuse of cloud structures is financially worthwhile. Besides ransomware, cryptominer spread very strongly. While ransomware is designed as a selective and self-destructive action, cryptominators behave inconspicuously to remain as permanent as possible. Sexretly, the computing power of the victim systems is used to calculate crypto currencies.

According to the Verizon Data Breach Report 2020, 86% of data breaches were financially motivated, and most were carried out by external, organized attackers.[1] This trend has now evolved: Attackers have found new possible targets for crypto-mining attacks in container-based cloud resources.

Efficient docker environments as a new target

Docker is a special cloud environment that works with so-called containers. Compared to conventional virtualization solutions, this variant is particularly slim. Common areas such as the operating system, kernel and libraries are used by all guests and therefore only need to be present once on a system. The containers contain only specific programs and code, without the ballast of the entire operating system. This way they stay slim and can be started and ended in no time.

Countless instances can run on a docker host system and change very quickly and dynamically according to load and demand. Criminals increasingly exploit this advantage by hiding their own containers which operate cryptomining, in the multitude of instances.

Study shows 250% increase in attacks

Aqua Security, who is specialized on the operational support of these cloud environments, has now published a study on current malware and attack strategies. [2] Attackers were lured with so-called honeypots (systems that deliberately contain weak points), and attacks were observed and evaluated for a year. Starting from five attacks per day on a system in 2019, the number of attacks increased to 29 in 2020.

Mostly known vulnerabilities on the container host systems were exploited. In 95%, cryptomining routines were started in guest containers. The attacks themselves were mixed – in the beginning they saw more “amateur” attacks, but over time a significant “professionalization” had taken place. Currently, a variety of methods and strategies is used to place these systems as unobtrusively as possible between many customer systems. The criminal mostly generated “Monero” which in contrast to Bitcoin is much more anonymous and therefore more difficult to trace. [3]

Does Crypto-Mining pay off?

The observed systems earned about 8,000 US dollars a year thanks to resource theft. With a corresponding number of such systems, six-digit amounts can easily be achieved. Increasing numbers of cloud systems are already leading to an increased number of crypto-miners – security managers should therefore keep this danger in mind.

Current malware variants are able to actively evade detection in order to remain on the target system for as long as possible. Adapted names of the instances or reloading the malware were only two of the methods observed. Even if cryptomining doesn’t seem to cause any damage at first glance, the additional resources consumed result in a long-term financial disadvantage for those affected. Some systems also contained scripts that allow participation in denial of service attacks.

Attack strategies and possible countermeasures

The developments observed show how important it is to introduce precise controls on the underlying infrastructure and resources used in public cloud systems. It is essential that the basic main systems use updated software, that management access is restricted and well monitored, and that all individual instances are subject to regular checks.

Attackers have rapidly evolved their methods over the year. Initially, the attackers simply searched for cloud servers with weak passwords, soon followed by exploiting management and software vulnerabilities in the docker environment. The latest development attacks the supply chain itself: ready-made container templates with well-hidden cryptomining scripts were found in public libraries on the Internet. If these ready-made infected instances are used productively, such a system can run unnoticed for a long time.

Therefore do not use ready-made container instances from insecure sources, but prefer self-created and tested systems. The malware is so sophisticated that it loads relevant and suspicious code only after it has been deployed, in order to avoid detection as long as possible. Accordingly, it is also important to restrict access from the server itself towards the Internet, to monitor it well and to react to the smallest anomalies that could point to Cryptominer.

[1] https://enterprise.verizon.com/resources/reports/dbir/

[2] https://info.aquasec.com/hubfs/Cloud%20Native%20Security%20Threat%20Report%2009-2020/Aqua_Security_Cloud_Native_Security_Threat_Report_CISO_Brief.pdf

[3] https://www.monero.how/how-does-monero-privacy-work