Threat actors are compromising cloud accounts to create distributed workloads for crypto mining, compromising misconfigured and vulnerable cloud instances to execute Distributed Denial of Service (DDoS) attacks, and abusing user test accounts. DevOps service providers.
A Romanian group, dubbed the Outlaw, compromises Internet of Things (IoT) devices and Linux servers and containers by crudely exploiting known vulnerabilities and using stolen or default credentials to mine the Monero digital currency or execute DDoS attacks. A more sophisticated group, TeamTNT, targets vulnerable software services; stepped up attacks starting last November while claiming it would stop operations. And the Kinsing group hosts an impressive number of exploits in the cloud and quickly transitioned to the Log4j exploit in December, according to a report published by Trend Micro on March 29.
The attacks should be a warning sign to companies that their security controls aren’t working well in the cloud, says Stephen Hilt, principal threat researcher at Trend Micro.
“The number of misconfigured cloud instances is high and these groups are taking advantage of it,” he says. “The systems haven’t changed from the attackers, so this doesn’t set off any red flags for things like changing passwords, adding your mining software and scripts, and leaving everything else untouched. If you’re not paying the price On Demand, it will likely be a long time before you notice their activities, specifically the groups that set limits on the resources that miners can use.”
Other attackers have found ways to exploit the free tier of continuous integration, continuous deployment (CI/CD) pipeline services, such as Azure DevOps, BitBucket, CircleCI, GitHub, GitLab, and TravisCI, and bundle transient workloads into a cloud. of crypto mining. service, according to cloud security company Aqua Security. In one case, an attacker used multiple six-hour build steps to add processor cycles to a pooled mining service, according to a blog post published by the company last week.
The attacks are easy to spot on paper, but they strike at the heart of the cloud model, where offering developers trial accounts or a free tier spurs usage and subscriptions and is an essential business practice. Adding barriers could hamper the future growth of cloud services or make developers less likely to try new services, says Mor Weinberger, a software engineer on Aqua Security’s Argon team.
“Even when barriers are put in place, advanced players can still bypass them,” he says. “Going forward, I believe platforms will substantially strengthen their defenses against crypto mining attacks and threat actors will seek more profitable and less resilient targets.”
The research highlights that attackers are finding ways to compromise and monetize cloud offerings that differ from the tactics used to compromise and monetize devices, desktops, and servers. Access-as-a-service groups, for example, often use compromised cloud accounts to run crypto miners or DDoS attacks as a way to generate additional revenue.
Cybercriminal “Capture the Flag”
Different groups also compete for cloud resources. TeamTNT, for example, appears to have specific systems compromised by a rival cryptocurrency mining pool known as Kinsing, according to Trend Micro report. Meanwhile, Outlaw recently created a tool to find and remove utilities and settings used by other mining gangs to compromise cloud services, according to the report.
“They are fighting for the sake of which group owns the box: [they] they want all the resources for mining to go to [them], not the other groups,” says Trend Micro’s Hilt. “This leads to them kicking each other out, cleaning each other’s malware and scripts, and trying to maintain the box themselves. Effectively, the attackers are playing a criminal game of capture the flag on your infrastructure.”
Many companies might consider the attacks less serious, as they may not impact operations or customer privacy, but having visibility into cloud instances to detect such attacks is critical, says Hilt.
Additionally, cloud services can quickly find their resources overwhelmed if attackers can automate crypto mining as part of a CI/CD pipeline, says Aqua Security’s Weinberger. Because attack performance varies based on the number of accounts managed by attackers, threat actors will often create multiple accounts and pipelines on different platforms, she says.
“This also helps them avoid being banned entirely in case some of their accounts are detected by the platforms,” Weinberger adds.
Enterprises and cloud services should focus on visibility as a first step to prevention, using account maturity to enable higher utilization and detect indications of mining-based processes and network telemetry, he says.