Threat actors are compromising cloud accounts in order to create distributed workloads for cryptomining — compromising misconfigured and vulnerable cloud instances for executing distributed denial-of-service (DDoS) attacks and abusing trial accounts from DevOps service providers.
A Romanian group, dubbed Outlaw, compromises Internet of Things (IoT) devices and Linux servers and containers by rudimentarily exploiting known vulnerabilities and using stolen or default credentials to mine the Monero digital currency or execute DDoS attacks. A more sophisticated group, TeamTNT, targets vulnerable software services; it ramped up attacks starting last November while claiming it would halt operations. And the Kinsing group harbors an impressive number of cloud exploits and rapidly transitioned to the Log4j exploit in December, according to a report released by Trend Micro on March 29.
The attacks should be a warning sign to companies that their security controls are not working well in the cloud, says Stephen Hilt, a senior threat researcher with Trend Micro.
"The amount of poorly configured cloud instances is high, and these groups are taking advantage of it," he says. "The systems are unchanged from the attackers, so this doesn't set off any red flags for things like changing passwords, adding their mining software and scripts, and leaving everything else untouched. If you aren't paying for the on-demand pricing, it is likely a long time before you notice their activities, specifically the groups that set limits on resources the miners can use."
Other attackers have found ways to exploit the free tier of continuous integration, continuous deployment (CI/CD) pipeline services — such as Azure DevOps, BitBucket, CircleCI, GitHub, GitLab, and TravisCI — and string together the transient workloads into a cryptomining cloud service, according to cloud security firm Aqua Security. In one case, an attacker used multiple six-hour build steps to add processor cycles to a pooled mining service, according to a blog post published by the company last week.
The attacks are simple to detect on paper but hit at the heart of the cloud model, where offering developers trial accounts or a free tier spurs usage and subscriptions and is an essential business practice. Adding barriers could hamper future growth of cloud services or make developers less likely to try out new services, says Mor Weinberger, a software engineer with Aqua Security's Argon team.
"Even when barriers are implemented, advanced actors are still able to bypass them," he says. "Going forward, I believe platforms will substantially strengthen their defenses against cryptomining attacks and threat actors will seek more profitable and less resistant targets."
The research underscores that attackers are finding ways to compromise and monetize cloud offerings that differ from tactics used to compromise and monetize devices, desktops, and servers. Access-as-a-service groups, for example, will often use compromised cloud accounts to run cryptominers or generate DDoS attacks as a way to generate extra income.
Cybercriminal "Capture the Flag"
Different groups are also competing for cloud resources. TeamTNT, for example, appears to have targeted systems compromised by a rival cryptocurrency mining group known as Kinsing, according to Trend Micro's report. Meanwhile, Outlaw recently created a tool to find and remove the utilities and settings used by other mining gangs to compromise cloud services, the report states.
"They are fighting for the sake of which group owns the box — [they] want all the resources for mining to go to [them], not the other groups," says Trend Micro's Hilt. "This leads to them kicking each other out, cleaning up the other’s malware and scripts, and trying to maintain the box themselves. Effectively, the attackers are playing a criminal game of capturing the flag in your infrastructure."
Many companies might consider the attacks less serious, since they may not affect operations or customer privacy, but having visibility into cloud instances to detect such attacks is critical, Hilt says.
In addition, cloud services may find that their resources are quickly overrun if attackers can automate cryptomining as part of a CI/CD pipeline, says Aqua Security's Weinberger. Because the throughput of the attack varies based on the number of accounts managed by the attackers, the threat actors will often create multiple accounts and pipelines across different platforms, he says.
"This also helps them avoid being fully blocked in case the platforms detect some of their accounts," Weinberger adds.
Companies and cloud services should focus on visibility as the first step to prevention, using the maturity of the accounts to allow more utilization and detecting indications of mining-based processes and network telemetries, he says.