What’s at the root of most cloud attacks? Cryptomining, apparently

For all its vast power, cloud computing continues to carry the baggage of security concerns.

Cloud misconfigurations cost companies worldwide up to US$5 trillion in 2018 and 2019. The mass data breaches that make the headlines are symptomatic. A hasty surge in adoption among businesses in 2020 is unlikely to see any turnaround to the cloud security problem soon. 

But, when we consider the motivations behind cyberattacks on cloud servers, we might imagine sensitive data to be the most sought prize. A new study by Aqua Security reveals that the majority carry the intent of deploying crypto-mining malware. 

The findings were based on tracking and analyzing more than 16,000 attacks on ‘honeypot’ servers (isolated from a network and used to block or observe hacker activity) between June 2019 and July 2020 — the firm noted a 250% year-on-year spike in attacks at the start of the year, indicating an organized strategy. 

Aqua Security said that 95% of attacks on the honeypot servers were aimed at mining cryptocurrency. The rest were used for setting DDoS infrastructure. 

“Our analysis suggests that the threat landscape shifted towards organized cybercrime, which is investing in infrastructure,” Aqua said. 

And while the majority of the tracked attackers sought to use cloud computing resources to mine crypto, the release adds that the “methods used open the door for higher-value targets that leverage security gaps in container software supply chains and runtime environments.”

Announcing the report, the research team said they expected a further increase in sophistication and the use of evasion techniques and diversity of attack vectors and objectives since the widespread use of enterprise cloud-native technology makes it a much more lucrative target. 

The rise of cryptojacking

Cryptojacking — or attacks where an organization’s or individual’s computers are surreptitiously used to mine for cryptocurrencies — has only really emerged as a major problem in the last couple of years. 

The concept picked up pace in 2017 at the height of the cryptocurrency boom when prices peaked and the rewards were very significant. However, the prevalence of these attacks has continued, and the uptick at the beginning of the year could have been spurred by the increasing value of cryptocurrencies including bitcoin. 

In 2018, researchers at cloud monitoring and security firm RedLock found AWS infrastructure used by electric carmaker Tesla had been running crypto-mining malware in an extensive yet well-hidden campaign. 

Following the discovery, RedLock urged organizations to closely monitor configurations, including deploying tools that can automatically discover resources as soon as they are created, determining the applications running on the resource, and applying appropriate policies based on the resource or application type. 

Monitoring network traffic and correlating it with configuration data can also allow for the identification of suspicious network traffic, as well as baselining normal user activities to detect anomalous behavior.