Cryptojacking: Free Money for Attackers, Huge Cloud Bill for You

Cryptojacking attacks can cost victims hundreds of thousands of dollars with minimal effort from attackers. Cryptomining refers to the computational act of validating transactions on a blockchain. Miners are rewarded with cryptocurrency for performing these calculations. Cryptojacking is when threat actors use stolen cloud resources to avoid paying for the necessary servers and power, the cost of which typically outweighs the profits.

Cryptojackers make $1 for every $53 their victim is billed.

Who Are Cryptojackers Going after?

Everyone has a target on their back. Cryptojackers don’t necessarily know or care who they are stealing from, they are simply looking for free money, and most have heavily automated their approach. They constantly scan the public internet looking for unprotected or vulnerable resources. Vulnerable systems are often compromised within minutes of being brought online.

For example, TeamTNT, one of the most prevalent cryptojacking organizations, targets exposed Docker APIs, Kubernetes, and Redis deployments. The list of potentially exploitable systems is limitless. The Sysdig Threat Research Team reported that TeamTNT alone collected at least $8,100 in cryptocurrency, amounting to $430,000 in cloud costs for their victims.

What’s with All the Different Coins?

When planning a cryptojacking campaign, the threat actor must consider which cryptocurrency to mine and which compute infrastructure to target. There are thousands of cryptocurrencies to choose from, but for illicit operations, a “privacy” coin is preferred. Privacy coins, such as Monero (XMR), are designed to be resistant to blockchain analysis that would allow tracing of where the coins are transferred, which makes them attractive to cybercriminals. A wallet of stolen Monero is analogous to funds stolen from a bank — without an ink pack.

However, privacy coins are not entirely untraceable. The cryptowallets and mining pools can still be exposed and examined by investigators and security researchers. Mining programs will often expose the wallet in a configuration file or on the command line. Mining pools are used to combine the resources of a number of cryptominers to reliably earn rewards. To achieve this, miners must connect to the pool using the network, which could be used to get more information about the campaign.

Cryptomining algorithms are optimized for different types of hardware. For example, Bitcoin can be mined more effectively on GPUs while a cryptocurrency called ZCash was designed for CPUs. Monero performs well on both GPUs and CPUs, but GPU cryptojacking targets are harder to come by. There are tradeoffs between privacy features and mining efficiency, but because the threat actor isn’t paying the electric bill, they don’t need to be very concerned with this optimization and can simply make up for it in scale. Mining privacy coins like Monero on CPU instances is usually the most effective approach for threat actors. It lowers the risk to the perpetrator while still generating a steady stream of income.

Let’s Talk about the Pickaxe

XMRig is one of the most popular families of mining software. It can mine many different coins on various types of hardware. Its versatility makes it very popular among cryptojackers. However, XMRig presents some issues by exposing the wallet and mining pool information. To mitigate these risks, a proxy server was developed called XMRig-proxy. This allows the wallet address to be stored in the proxy server and also hides the mining pool since it’s hosted on an attacker-controlled server. When deployed, XMRig-proxy adds another layer of obfuscation to what is inherent in privacy coins and makes investigation more difficult.

There are two ways to run a cryptojacking campaign: compromise existing compute instances and install as many miners as they will accommodate or compromise a cloud account and attempt to create new compute instances to run as many miners as you want. Sysdig TRT has observed many instances where cryptojacking groups harvested cloud credentials and used them to spin up additional cloud computing resources until they hit the limits of the credit cards on file.

This approach maximizes attacker profits and can result in massive costs to the victim. There is nothing stopping a threat actor from doing both methods, of course. For example, TeamTNT installs miners on compromised systems while also looking for cloud credentials to spin up more.

“The cost of mining 1 XMR on a single AWS EC2 instance is roughly $11,000.”

How Long Will This Continue?

Cryptojacking isn’t likely to go away anytime soon. Even as the crypto markets plummet and coins become less valuable, the attackers have little to no expenses to worry about, so a tiny profit is still all profit. Some may even increase operations to make up the difference. The industry remains largely unregulated, so it’s relatively easy for the attackers to turn cryptocurrency into real money.

Cryptojacking has the ideal ratio of low effort and low risk to high reward, while enabling near-instant monetization of stolen infrastructure upon gaining access. Traditional tactics, such as ransomware extortion, require longer persistence, the ability to sell their access to a broker or customer, and/or the capability to complete the criminal transaction without engaging law enforcement.

What Does This Mean for Me?

Most cryptojacking attacks are opportunistic. Malicious actors are simply trying to compromise anyone vulnerable to their exploit of choice. There is no targeting, and the attacks are not sophisticated. Defending against opportunistic attacks requires proper preventative controls like vulnerability and configuration management. Identity and access management is a must for avoiding the worst-case scenario of attacker-provisioned instances mining on your cloud accounts at a massive scale. Threat detection can also be highly effective as many cloud providers, and third-party cloud security tools are starting to offer algorithms for identifying and blocking cryptojacking attacks.

So far, cloud providers have been fairly generous in forgiving large bills incurred due to malicious cryptomining. This is unlikely to continue as the popularity of cryptojacking continues to rise. Ultimately, the damage — financial or otherwise — due to the exploitation of workloads in the cloud is the account holder’s responsibility, so your organization must take the necessary steps to ensure you are protected.

Group Created with Sketch.