Cloud Cryptojacking

Understanding Seemingly unreal threat to the world of modern cloud systems

Cloud cryptojacking is a rapidly evolving cybersecurity threat that poses significant risks to organizations worldwide. This article provides an in-depth explanation about cloud cryptojacking, covering its definition, evolution, motivations, business impacts, mitigation strategies, and real life attacks.?

The attack happens in four stages: Exploitation of resources through penetration or information gathering, deployment of malware script, mining and sending cryptocurrency back… More details about this in the latter part of the article!

What Cryptojacking actually is? You might be thinking!

According to wikipedia; “Cryptojacking is the act of exploiting a computer to mine cryptocurrencies, often through websites, against the user’s will or while the user is unaware”?

And what is mining? : “It is the process of solving complex mathematical algorithms, upon solving that problem, a new currency can be made or a new transactions can be verified”

Cryptojacking typically involves the deployment of malicious scripts or malware to hijack computational resources for mining purposes. The Concept of cryptojacking gain rise alongside the rise of cryptocurrencies, with cloud based attacks becoming increasingly aggressive in recent years,

Cloud cryptojacking involves the unauthorized use of cloud computing resources to mine cryptocurrencies. It is a combination of a malware attack and exploitation of co-opted computer resources. Malware is used to gain access to cloud infra for use in crypto mining.

The Way it works!

It is not necessarily needed to compromise individual clouds to mine crypto currencies, hackers can also compromise a whole website, infrastructure and also part of it to utilize it, after injecting certain types of scripts or malicious code. This code is designed to execute cryptocurrency mining operations covertly. It is rather easy to get into any website application than penetrating an individual cloud server. Attacker injects malicious code through a known or discovered vulnerability in the system which helps them to take over that system, and after that a crypto jacking script gets executed,? this script initiates the mining process by utilizing the computational power of the compromised system.? The mined cryptocurrency, such as Bitcoin, Monero, or Ethereum, is then transmitted to the attacker’s Wallet or designated address.?

To avoid detection and maximize the duration of the operation, attackers may employ various evasion techniques, such as obfuscating the mining script, periodically changing mining pools or using encryption to mask communications with command-and-control servers.

How profitable is this to attackers?

Major benefits of taking advantage of someone else’s? cloud resources are Financial Incentives,? getting advantage of Computational power, Fluctuating Cryptomarkets… Let’s tick each of these one by one!

Cryptomining requires a hell lot of resources to get the work done, which means it is financially Unfeasible to miners, thus crypto transactions are very expensive, but when done from a system that’s not yours then it’s completely win win for you! That’s why Attackers lurk upon these things. So it’s completely beneficial to them as it can generate profits without the need for significant upfront investment. In another way, the widespread mining of cryptocurrencies through cloud cryptojacking can impact market dynamics, Including supply and demand equilibrium and price volatility.

The older prey for these vultures were phones, computers, servers, research centers…etc. But none of these can come close to the power a cloud system provides, Crypto mining is energy intensive; and it also leaves negative impacts on the environment.?

Understanding the bits of business impact!

Though the attack strategy and idea is quite immersive but the damage it holds is none unique than classic attacks, this thing also causes damage in regards to Financial Loses, Operational disruptions, Reputational damage, regulatory and legal consequences,

Cryptojacking operations consume substantial amounts of computational resources, leading to higher electricity bills for affected organizations. It can degrade system performance, causing slowdowns, crashes or unresponsiveness.

In severe cases, cryptojacking attacks may render systems or services unavailable, affecting customer-facing platforms, e-commerce websites, or internal business processes.

Organizations operating in regulated industries, such as finance, healthcare, or government, may face compliance challenges related to data protection, privacy and cybersecurity regulations.

Measures to prevent or mitigate the cryptojacking attacks.

• Preventions :

Implement access controls, least privilege principles, to limit unauthorized access to systems and resources.

Regularly update and patch software, operating systems and applications to address known vulnerability.

Utilize Firewalls, Intrusion detection systems (IDS), and intrusion prevention systems (IPS) to monitor and filter network traffic for signs of cryptojacking activity.

Implement security best practices for cloud environments, and monitor cloud infrastructure for unauthorized access, unusual behavior and resource utilization anomalies that may indicate cryptojacking activity.

• Detections :

Deploy network monitoring tools to analyze network traffic and identify patterns consistent with cryptojacking activity, such as spikes in CPU Usage or unusual communication with cryptocurrency mining pools.

Inspect DNS requests by packet capture and traffic analysis techniques.

Implement EDR solutions that provide real time visibility into end point activities and behaviors, leverage machine learning algorithms to detect discrepancies and identify potential indicators of compromise (IOCs) related to attacks.

• Recovery :

Organization may require to conduct a forensics investigation to determine the scope and impact of the incident, including identifying compromised systems, tracing attacker activity. Analyze system logs, event data and memory dumps to reconstruct the timeline of the attack and identify the root cause of the intrusion.

Remove malware and associated artifacts form infected system, using antivirus scans, malware removal tools.

Patch vulnerabilities and implement security controls to prevent future cryptojacking attacks, such as blocking known malicious IP addresses and domains associated with crypto-mining operations.

Top 5 CryptoJacking malware and attacks!

1. CoinHive → It is an initially innovative service, enabling website owners to mine monero, by utilizing visitors' processing power. Later it got exploited by injecting the CoinHive code into compromised websites. It can even be spread through the malicious browser extensions or software, turning coinhive into a type of trojan horse virus.
2. Smominru → Smominru is a botnet and it also has multiple variants, Hexmen and mykings. Attack exploits windows machines using eternal blue or any kind of bruteforce. In the post-infection phase, it steals victim credentials, installs a trojan module and cryptominer and pivots through the network.
3. WannaMine → It is a monero cryptocurrency miner that hijacks a system’s CPU cycle to mine. It uses advanced techniques and tactics to maintain persistence within the system and moving laterally from system to system. → If unsuccessful, WannaMine attempts to exploit the remote system with the EternalBlue exploit used by wannacry.
4. MassMiner → Massminer worm is a type of mining malware that has been seen propagating from local to high targets, like Microsoft’s SQL servers, which holds greater mining potentials, → It exploits eternal blue and other web server exploits, it will also bruteforce SQL servers by using SQLck and then once compromised it will run scripts to install MassMiner.
5. PowerGhost → Powerghost is more difficult to detect, it doesn’t download malicious files to the device. And thus it remains undetected and operates longer on server or workstation. → It utilizes legitimate software tools such as windows management instrumentations, infects systems using an obfuscated powershell script which contains the core code. The script installs the mining module, libraries and mimikatz.