Cryptojacking is slowly making a comeback, with attackers using various schemes to steal free processing power from cloud infrastructure and focus on mining cryptocurrencies such as Bitcoin and Monero.
According to Sysdig, a security provider of cloud-native services, cryptominers are taking advantage of the availability of free trials on some of the largest continuous integration and deployment (CI/CD) services to deploy and distribute code. I am creating a type mining platform. Her cybersecurity services firm, CrowdStrike, warned this week that attackers have targeted her improperly configured Kubernetes and Docker instances to gain access to host systems and run cryptomining software. .
Manoj Ahuje, senior threat researcher for cloud security at CrowdStrike, said both tactics are simply trying to capitalize on the rise of digital currencies at someone else’s expense.
“It’s essentially free computing as long as the compromised workload is available. For cryptominers, it’s a win in itself, as it brings the cost of input to zero,” he says. “And…if attackers can effectively compromise many such workloads by crowdsourcing compute for mining, they will reach their goals faster and be able to mine more in the same amount of time. can do it.”
Despite the plummeting value of cryptocurrencies over the past 11 months, cryptocurrency mining efforts have increased over time. Bitcoin, for example, 70% down from November 2021 peak, impacting many cryptocurrency-based services. But the latest attacks show that cybercriminals are trying to find the easiest thing to accomplish.
Compromising a provider’s cloud infrastructure may seem harmless to your business, but the cost of such hacks will gradually decline. Sysdig suggests that attackers typically Earn only $1 for every $53 cost Paid by the cloud infrastructure owner. For example, Sysdig estimates that if he mines one of his Monero coins using GitHub’s free trial, the company will lose more than $100,000 of his earnings.
However, companies may not be aware of the harm of cryptomining initially, says Sysdig threat researcher Crystal Morin.
“Stealing someone’s infrastructure, stealing data from a company, etc., does not harm anyone directly, but if this is expanded or other groups take advantage of this type of operation, that is “Freejacking” can start to hurt these providers financially and affect users on the back end, causing free trials to disappear or forcing legitimate users to pay more. “It’s a lot,” she says.
cryptominer everywhere
The latest attack, dubbed PURPLEURCHIN by Sysdig, appears to be an attempt to build a cryptomining network out of as many services as possible offering free trials. Sysdig researchers found that the latest cryptomining network utilizes 30 GitHub accounts, 2,000 Heroku accounts, and 900 Buddy accounts. Cybercrime groups download Docker containers and run JavaScript programs to load them into specific containers.
The attack’s success was attributed to the efforts of cybercrime groups to automate as much as possible, said Michael Clark, director of threat research at Sysdig.
“They have really automated the activity of getting new accounts,” he says. “They use CAPTCHA bypass, visual bypass and audio versions of him. We create new domains and host his email servers on the infrastructure we build. will start a number of containers with.”
For example, GitHub offers 2,000 free GitHub Action minutes per month under the free tier, which can account for up to 33 hours of execution time across all accounts, Sysdig said in its analysis.
kiss a dog
cryptojacking campaign CrowdStrike Discovered It targets vulnerable Docker and Kubernetes infrastructure. Known as Kiss-a-Dog campaigns, cryptominers use multiple command and control (C2) servers for resilience and use rootkits to evade detection. This includes various other capabilities such as placing backdoors in compromised containers and using other techniques to ensure persistence.
The attack techniques are similar to those of other groups CrowdStrike has investigated, such as LemonDuck and Watchdog. However, most of the tactics are similar to his TeamTNT, also targeting vulnerable and poorly configured Docker and Kubernetes infrastructure, CrowdStrike said in its advisory.
While such an attack may not feel like a breach, businesses should take signs of attackers gaining access to their cloud infrastructure seriously, says CrowdStrike’s Ahuje. increase.
“When an attacker runs a cryptominer in your environment, this is a sign that the first line of defense has failed,” he says. “Cryptominers spare no stones to exploit this attack surface to their advantage.”
