Articles
Examining the Activities of Cloud-Based Cryptocurrency-Mining Groups
by GRSoft Solutions IT Solution The allure of unauthorized cryptocurrency mining for malicious actors is easy to understand: For less effort than running a full-blown campaign, they can essentially “print money” by using their victims’ resources, at no cost to them other than the work they exert to compromise the systems.A recent trend among malicious actors engaged in cryptocurrency-mining activities has been to focus their efforts on the cloud. While GPU-based mining remains the preferred method for most legitimate cryptocurrency miners because of its higher profitability, the scalability of the cloud allows CPU-based mining to become profitable, especially when attackers manage to compromise a large number of cloud-connected machines.
In our research paper “A Floating Battleground: Navigating the Landscape of Cloud-Based Cryptocurrency Mining,” we take a look at the landscape of cloud-based cryptocurrency-mining attacks, focusing on the most prominent groups in this space, their battle for cloud resources, and the impact attacks could have on organizations.
- The repercussions of a cloud-based cryptocurrency-mining attack extend beyond resource costs- The most obvious impact of a cloud-based cryptocurrency-mining attack on an organization is the resource consumption and cost. Based on our experiment in which we deployed the monero miner XMRig on one of our systems, we saw a significant spike in CPU utilization rate from an average of 13% to 100%. This would translate to a jump in electricity cost from US$20 to US$130 per month, a roughly 600% increase, for a single cloud instance. Multiplying this by the typically large number of instances controlled by an organization, we would get a huge electric bill in the aggregate.
In addition to the resource costs, a cryptocurrency miner infection could slow down and disrupt the online services of a business. This aspect could actually be more damaging, as it could affect the bottom line and lead to customer dissatisfaction and reputation loss as well as revenue decline. Beyond the direct monetary impact of an attack, the presence of a cryptocurrency miner in a company’s system also serves as a sign that there are deeper issues in the cloud infrastructure. At first glance, a cryptocurrency-mining attack might not seem as serious a threat as data exfiltration or a ransomware infection. But the method with which malicious actors enter a target’s system is practically the same: They exploit a flaw or weakness that the organization’s security implementation does not or cannot cover. In essence, we can view a successful cryptocurrency-mining attack as not just a singular cybersecurity incident but as something akin to a canary in a coal mine, that is, it serves as an indicator of poor security hygiene. The tools and techniques used by cryptocurrency-mining groups to gain access to their targets’ systems can also be used by other groups for their own malicious — and perhaps more damaging — purposes. - Cloud-based cryptocurrency-mining groups are varied- Cryptocurrency-mining groups enter cloud deployments through similar methods, typically through the exploitation of a security flaw within target systems, such as an unpatched vulnerability, weak credentials, or a misconfigured cloud implementation. However, each group more or less has its unique traits, from its skill level and experience to the tools and techniques it uses, that set it apart from other groups. The threat actor group known as Outlaw, for instance, has not changed much from its original campaign. The group tries to gain a foothold in a target’s system either by exploiting vulnerabilities in internet-of-things (IoT) devices and Linux servers or simply by using SSH (Secure Shell) brute-force attacks, after which it installs an IRC (Internet Relay Chat) bot for remote operations. In this case, it seems that Outlaw prefers to keep quiet and keep on doing what works. The threat actor group known as Outlaw, for instance, has not changed much from its original campaign. The group tries to gain a foothold in a target’s system either by exploiting vulnerabilities in internet-of-things (IoT) devices and Linux servers or simply by using SSH (Secure Shell) brute-force attacks, after which it installs an IRC (Internet Relay Chat) bot for remote operations. In this case, it seems that Outlaw prefers to keep quiet and keep on doing what works. Other groups such as Kinsing and 8220 prefer to lie low and let their actions do the talking. Despite not being as active in the public eye as groups like TeamTNT, these two groups are actually the most active among the ones we analyzed, with beacons to their servers reaching at least 1,000 per month.
Sponsor Ads
About GRSoft Solutions 
IT Solution
22 connections, 0 recommendations, 88 honor points.Joined APSense since, October 10th, 2016, From Noida, India.
Created on May 5th 2022 05:18. Viewed 163 times.
Comments
No comment, be the first to comment.
