Numerous threat actors are reportedly duking it out for access to the limited cloud computing power they can use for cryptocurrency mining activities.
A report by Trend Micro describing, “A floating battleground navigating the landscape of cloud-based cryptocurrency mining”, claims there’s an “hour-by-hour” battle between multiple groups over which gets to use compromised cloud servers as miners.
"Just a few hours of compromise could result in profits for the perpetrators. That's why we're seeing a continuous fight for cloud CPU resources. It's akin to a real-life capture-the-flag, with the victim's cloud infrastructure the battleground," said Stephen Hilt, Senior Threat Researcher at Trend Micro.
Increasing costs
"Threats like this need joined-up, platform-based security to ensure the bad guys have nowhere to hide. The right platform will help teams map their attack surface, assess risk, and apply for the right protection without adding excessive overheads."
Compute power in the cloud is excessive, but not all of it is available to cybercrooks. Trend Micro is saying that the groups are only able to exploit exposed instances, which usually have outdated cloud software, poor cloud security hygiene, or are being run by people with inadequate knowledge on how to secure the services.
Brute-forcing SecureShell (SSH) credentials is also sometimes used, the researchers have added.
Cloud computing has proven pivotal for the survival of many businesses during the pandemic. But some have been left online for longer than needed, the report claims, which means they’re now sitting unpatched and misconfigured.
Compromised systems will not only slow down key user-facing services for targeted organizations, but can also increase their operating costs by up to 600%. After all, a cryptocurrency miner needs significant computing resources as well as electricity, and a stable internet connection.
Trend Micro also says that some groups use miners as a “side gig”, to earn a few extra bucks as they wait for a customer willing to buy access to the compromised endpoints.
To remain secure, the researchers advise companies to always keep their systems updated, to run only required services, to deploy firewalls, IDS/IPS, and cloud endpoint security solutions, to eliminate configuration errors, to monitor traffic to and from cloud instances, and to deploy rules that monitor open ports, changes to DNS routing, and utilization of CPU resources from a cost perspective.
