Understanding Cryptojacking, Cryptomining, and their impacts on Cloud Computing

Introduction

Cryptojacking and crypto mining are terms used to describe the unauthorised use of computing resources for mining cryptocurrencies. These digital currencies function as a medium of exchange through a computer network without any central authority.

When combined with the vast cloud computing capacity, misconfigured cloud environments can create opportunities for cybercriminals to carry out illegal activities, as seen in this recent large-scale incident.

Cryptomining

Cryptomining, short for cryptocurrency mining, is the legitimate process of validating transactions and adding them to a blockchain, creating new cryptocurrency coins as a reward.

Cryptominers use powerful computer hardware, such as CPUs (Central Processing Units) or GPUs (Graphics Processing Units), to solve complex mathematical problems. When a miner successfully solves a problem, they add a new block to the blockchain and are rewarded with newly created cryptocurrency coins. This process is resource-intensive and requires substantial computational power.

Cryptomining is legitimate when performed with the owner's consent, adherence to laws and regulations, and ethical considerations. However, when mining occurs without authorisation (as in the case of cryptojacking), it becomes a security threat and a form of cybercrime.

While cryptomining is a legitimate process in validating and securing blockchain transactions, cryptojacking represents the unauthorised and malicious use of someone else's computing resources to mine cryptocurrencies. Both activities highlight the importance of cyber security measures to protect against unauthorised resource usage and exploit vulnerabilities.

Cryptojacking

Cryptojacking refers to the unauthorised use of a computer, server, or device's processing power to mine cryptocurrencies without the owner's knowledge or consent.

Cybercriminals typically inject malicious code into websites, ads, or software. When users visit the compromised sites or interact with infected content, their devices unknowingly become part of a network (botnet) that contributes processing power to mine cryptocurrencies. The mined coins are sent to the attacker's wallet.

Cryptojacking can lead to reduced system performance, increased electricity costs for the affected users, and potential hardware damage due to prolonged high CPU/GPU usage.

Recent Attack

According to?Techradar ?and?Bleepingcomputer , Ukrainian police arrested a hacker who allegedly used compromised servers belonging to an American company to secretly mine cryptocurrencies.

The reports claim that the hacker used over a?million virtual servers?to create a potent network, then nefariously used it for crypto mining, making themselves?$2 million.

This case highlights the significant impact that misconfigured cloud resources can have, resulting in undisclosed AWS consumption costs. In addition to the financial implications, there is also a negative environmental impact due to the considerable electricity wasted on criminal activity.

It is crucial for every organisation to properly manage and configure their cloud resources to avoid such issues and ensure that they are operating sustainably and securely.

Mitigation

Never has an outstanding monitoring and security posture been essential.

Simple AWS security best practices and tooling can go a long way to protecting your AWS environment from attack, and security should be seen as an ongoing exercise.?

Best Practices

To guard against crypto mining or unauthorised activities, consider the following AWS and industry best practices.

• AWS Root Account. Protecting the AWS root account is critical to maintaining the security of your AWS environment.
• MFA. Using MFA (Multi-Factor Authentication) helps improve security by adding a layer of protection to the authentication process. With MFA, users must provide two or more forms of identification to access an account or system, such as a password and a verification code sent to their phone or email. This makes it much more difficult for hackers to gain unauthorised access to an account since they would need both the user's password and their phone or email access. MFA is a highly recommended security measure for protecting sensitive information or valuable assets.
• Complex Passwords. Using a complex password reduces the risk of unauthorised access to your accounts and sensitive information. It is also essential to avoid using the same password across multiple accounts, as this makes it easier for hackers to gain access to all of your accounts if they can crack just one password.
• Storing access keys. Storing access keys in code presents security risks, as hardcoded credentials can be exposed accidentally, leading to unauthorised access or compromise of sensitive data and resources.
• Key Rotation. Rotating AWS keys is an important security measure because it helps to reduce the risk of unauthorised access to your AWS environment. AWS keys are used to authenticate and authorise access to AWS resources and services, and they are often used to automate tasks and scripts that interact with AWS. If these keys are compromised, an attacker could gain unauthorised access to your AWS environment, resulting in data loss, service disruption, or other security incidents.
• Principle of Least Privilege. Using the principle of least privilege helps improve security by limiting the level of access that users have to sensitive resources and data. This means that users are only granted the minimum access required to perform their job functions. By doing so, the risk of unauthorised access or data breaches is reduced, as users cannot access information they do not need. This is an important security measure as it limits the potential damage caused by a security breach and helps protect sensitive data and resources from unauthorised access or misuse.
• Defense in Depth. Using defence in depth is a security strategy involving multiple layers of security controls to protect against various threats. It helps security by providing multiple barriers to entry for attackers, making it more difficult for them to infiltrate the system. Each layer of security acts as a backup to the other layers, so if one layer fails, the other layers can provide protection. This strategy also helps to limit the damage caused by an attacker who manages to get past one layer of security, as they will still need to bypass the other layers to access sensitive data or systems. Overall, defence in depth helps to improve security by providing a more comprehensive and layered approach to protecting against security threats.
• Auditing. Auditing access helps improve security by providing a log of all activities within a system or network. This includes details such as who accessed a resource when the access occurred, and what actions were performed. By monitoring these activities, organisations can identify potential security threats or breaches and take appropriate measures to mitigate them. Auditing access also helps ensure compliance with regulatory requirements and internal policies. In the event of a violation, auditing logs can be used to identify the cause and extent of the breach and the steps that need to be taken to prevent future incidents. Auditing access is an important security measure that helps organisations monitor and protect their sensitive data and resources.
• Monitoring. Monitoring helps security in several ways. It allows for the early detection of potential security threats and breaches. By constantly monitoring and analysing network traffic, system logs, and user behaviour, security teams can quickly identify and respond to suspicious activity. This helps prevent data loss, unauthorised access, and other security incidents. Additionally, monitoring can provide valuable insights into system performance and help organisations optimise their security posture. By identifying and addressing vulnerabilities and weaknesses, organisations can improve their overall security and reduce the risk of cyber attacks.

Tooling

To monitor crypto mining or unauthorised activities, consider the following AWS services.

• AWS CloudWatch .?CloudWatch is a monitoring and management service that provides data and actionable insights for AWS resources. You can set up custom alarms and metrics to monitor the usage of your resources, which can help detect unusual patterns associated with crypto mining activities.
• AWS CloudTrail . CloudTrail records control plane calls made on your account, providing an audit trail of user activities, services, or other AWS resources. Monitoring CloudTrail logs can help identify suspicious or unauthorised activities within your AWS environment.
• AWS Config .?AWS Config helps you assess, audit, and evaluate the configurations of your AWS resources. By setting up rules, you can detect and respond to changes in your resource configurations that may indicate crypto mining activities.
• Amazon GuardDuty .?GuardDuty is a threat detection service that continuously monitors malicious activity and unauthorised behaviour. It uses machine learning (ML) and anomaly detection to identify potential threats, including crypto mining activities.
• Amazon VPC Flow Logs .?Flow Logs capture information about the IP traffic going to and from network interfaces in your Virtual Private Cloud (VPC). Analysing these logs can help you identify unusual patterns or traffic associated with crypto mining.
• AWS WAF (Web Application Firewall) .?If your applications are public-facing, AWS WAF can help protect them from common web exploits. You can set up rules to block requests associated with crypto mining scripts.
• AWS Identity and Access Management (IAM) .?Ensure that IAM policies are configured securely and follow the principle of least privilege to minimise the risk of unauthorised access.
• AWS Security Hub .?Security Hub?is a comprehensive security service that provides a centralised view of your security alerts and compliance status across various AWS accounts. It is crucial in identifying and managing security findings from various AWS services.?

It is vital to include all regions in the scope of any monitoring, not just those regions you actively use, as any attacker would target these underutilised regions in the hope of being undetected. Monitoring should include all AWS regions, including future regions, as they are brought online.

Additionally, visibility of costs is critical to monitoring nefarious activities in your AWS account. It isn't easy to imagine the cost of an additional million virtual servers popping up in your AWS environment, but you can be sure it would be noticeable! This is where?Best Practices for AWS Cost Optimisation & Financial Management ?comes into their own.

Summary

Cryptojacking is a form of cybercrime that involve the unauthorised use of computing resources for mining cryptocurrencies, leading to reduced system performance, increased electricity costs, and a large bill.

Misconfigured cloud environments create opportunities for cybercriminals to carry out such activities, as seen in recent large-scale incidents. Implementing AWS and industry best practices can also help monitor and protect cloud resources against these threats. Ultimately, it is essential to properly manage and configure cloud resources to avoid such issues and ensure sustainable and secure operations.

About Me

As an experienced AWS Ambassador and Technical Practice Lead, I have a substantial history of delivering innovative cloud solutions and driving technical excellence in dynamic organisations.

With deep expertise in Amazon Web Services (AWS) and Microsoft Azure, I am well-equipped to enable successful design and deployment.

My extensive knowledge covers various aspects of cloud, the Internet, security technologies, and heterogeneous systems such as Windows, Unix, virtualisation, application and systems management, networking, and automation.

I am passionate about promoting innovative technology, sustainability, best practices, concise operational processes, and quality documentation.

Note: These views are those of the author and do not necessarily reflect the official policy or position of any other agency, organisation, employer or company mentioned within the article.