Cryptojacking is quickly becoming cybercriminals’ malware of choice, according to two new cloud security reports published this week.
Check Point found that the month of April marked the fourth consecutive month where cryptomining malware dominated its monthly Top Ten Most Wanted Malware Index. The Coinhive variant retained the top spot as the most prevalent malware (16 percent). Cryptoloot followed close behind with a global reach of 14 percent.
The researchers also uncovered a new trend: hackers targeting un-patched vulnerabilities in some Microsoft Windows and Oracle Web Logic servers to mine cryptocurrency. And while both companies fixed the flaws and made the patches publicly available at least six months ago, 46 percent and 40 percent of the world’s organizations were still targeted for the Microsoft and Oracle vulnerabilities, respectively.
Meanwhile, a report from RedLock found cryptojacking has gone mainstream. The company’s cloud security intelligence team found that 25 percent of organizations had their cloud compute resources stolen specifically to mine cryptocurrency. This represents a three-fold increase in cryptojacking incidents from the 8 percent reported in the last quarter.
Check Point’s Most-Wanted Malware
Check Point researchers analyze data from a global network of sensors and millions of data points for the company’s monthly threat report.
“What we are seeing since the end of 2017 and throughout 2018 is a very significant switch from using ransomware as one of the main monetization vectors for threat actors to using cryptomining,” said Omer Dembinsky, data research team leader, threat intelligence group at Check Point.
This echoes Symantec’s latest security report that found cryptojacking detections grew by a whopping 8,500 percent in 2017. The company’s threat researchers don’t expect it to drop in popularity in 2018.
In addition to being a cheap and easy way to make money — it only requires a couple of lines of code to operate in addition to stolen processing power and cloud CPU usage — cryptojacking is a “much quieter type of attack,” Dembinsky said.
With ransomware, the hacker locks the victim’s systems and demands a ransom — immediately and loudly making the attack known.
“But with cryptomining, you have a user oblivious to what’s happening,” Dembinsky said. “The threat actor is just making money on the side.”
Cloud Server Vulnerabilities
Threat actors are also looking to illegally mine cryptocurrency on “anything that has CPU,” he said. This includes mobile devices as well as personal and corporate computers. But the jackpot remains cloud servers. These have higher CPUs and aren’t used by just one person. This means the users are less likely to notice any change in computing performance.
“Microsoft Windows and Oracle servers are very popular, and would definitely be a target for these threat actors,” Dembinsky said.
Although Microsoft and Oracle both pushed patch updates to address security issues back in 2017, nearly half the world’s organizations were still targeted by attackers taking advantage of these known vulnerabilities.
Check Point doesn’t know how many companies’ systems were actually used to mine for cryptocurrency. “But if you think about half the networks in the world, even if only 1 percent is not patched, you still have a huge amount of potential,” Dembinsky said.
In other words, if you’re a cybercriminal, cryptojacking has a pretty good rate of return.
It’s also a good reminder that security basics like patching are critical to ensuring secure networks.
RedLock: 3x Cryptojacking Increase
RedLock researchers previously uncovered cryptojacking in public cloud environments owned by Tesla, Aviva, and Gemalto. Attackers are now using advanced evasion techniques specifically to mine cryptocurrency in public clouds, according to the latest Cloud Security Trends report, which is based on 18 million cloud resources monitored.
Varun Badhwar, founder and CEO of RedLock, blames the spike in cryptojacking on several factors. One is the massive compute power in the cloud, especially compared to a traditional data center environment. Attackers typically make upwards of $50,000 to $100,000 per day until they are detected, he said.
“If you own the compute, and you are paying for the electricity, the math doesn’t work — it’s not cost effective to mine,” Badhwar said. “But when someone else is paying the bills, even if you only monetize $1,000 per day it’s free money.”
Also, if attackers steal data, company executives have to report the breach to law enforcement, the U.S. Securities and Exchange Commission, and other regulatory bodies, as well as to customers whose data was stolen.
“With cryptomining incidents, it’s a different vector,” Badhwar said. “You are monetizing on their environment until you get detected. And you don’t hear organizations having to disclose that they got cryptojacked. It flies under the radar. Law enforcement doesn’t get involved.”
Perhaps not surprisingly, RedLock found that 25 percent of organizations currently have cryptojacking activity in their environments.
“How do people get into these environments? It’s not that hard,” Badhwar said. “There are thousands and thousands of credentials just laying around.”
The security researchers found leaking credentials in GitHub repositories, unprotected Kubernetes administrative interfaces, and public Trello boards. They also uncovered a major new threat vector: public cloud Instance Metadata APIs.
A feature available to public cloud customers, Instance Metadata refers to data about a cloud virtual machine (VM) that can be used to configure or manage the running VM — in effect, submitting a query via an API to gain access credentials to the public cloud environment by any process running on the VM. The research team identified several ways that hackers might exploit this API, although it is unclear whether any of these methods have been used in the wild.
The report also found 27 percent of organizations have users whose accounts have potentially been compromised. This is up from the February 2018 report that showed 16 percent.
“Two things go hand-in-hand: a three-fold increase in cryptojacking in the quarter, and also an increase in cloud credential compromises,” Badhwar said. “There’s an obvious correlation here. As more accounts are compromised, and more people are able to get into these environments, they are able to use these cloud resources for cryptomining.”
Basic Cloud Hygiene
This shows that basic hygiene is still a problem in public clouds. Forty-three percent of all organizations have not rotated their access keys in more than 90 days, according to the report. “And that’s a security best-practice,” Badhwar said.
Additionally, 85 percent of cloud resources had no firewall restrictions on any outbound traffic, up from 80 percent a year ago. “This is such a fundamental thing that was solved in on-prem environments,” Badhwar said.“But in the public cloud it’s left wide open.”