Attackers Targeting Cloud Infrastructure for their Cryptocurrency-Mining Operations

With the rise of cryptocurrency-mining malware over the past couple of years, cybercriminals are constantly trying different kinds of monetization schemes. One of the methods becoming increasingly commonplace is targeting the cloud — specifically enterprise cloud infrastructure. A report by AT&T outlined four methods cybercriminals use to target a business’s cloud infrastructure: compromised container management platforms, malicious Docker images, API key theft, and control panel exploitation.

Abusing compromised container management platforms. A container is a type of technology used by developers to house all the components of an application, including management interfaces, files, codes, and libraries. Cybercriminals have been known to exploit vulnerabilities in them or take advantage of misconfigured containers to deploy malware. This was the case in an incident in February 2018, when attackers were found to have abused the compromised Kubernetes infrastructure of an electric car manufacturer. The attackers then used the compromised containers to perform cryptocurrency-mining operations.

Furthermore, attackers have been observed compromising these platforms by abusing open APIs and unauthenticated management interfaces.

Running malicious Docker images. Docker is another ubiquitous development tool that is used to build, run, and distribute containers. Building these containers often takes time and resources, thus, some Docker users resort to using prebuilt images for their needs. The AT&T report noted that problems arise when users inadvertently download images containing a cryptocurrency miner. The illicit mining service is difficult to detect, as miners often go, and operates in the background without the user’s knowledge and consent.

Stealing API keys. API key theft is a well-known method of compromising cloud infrastructure and often involves little more than basic scanning for posted source codes in services such as GitHub to search for publicly accessible API keys. By gaining access to these API keys, cybercriminals can execute a variety of malicious actions, from buying and selling currencies via trading bots to using hacked accounts for mining.

Exploiting web host control panels. Cybercriminals have also turned to trying to gain administrative access over the control panels of web hosting technologies that allow them to deploy malware, including cryptocurrency-mining malware. While vulnerability exploitation is a possible means for intrusions, all too often, they’re the result of factors within an organization’s control, such as improper configuration. An incident in October 2018, for example, involved attackers taking advantage of exposed Docker API ports, allowing them to deploy a Monero miner within the affected machines.

A large number of these attacks can be prevented if individuals and organizations prioritize security by design, which includes proper implementation of basic best practices such as the following:

  • API key theft can be prevented if users take great care never to expose their access keys to the public.
  • Cloud services should always be configured correctly to avoid any potential exploitation. Even something as basic as changing the default password of control panels can eliminate a large number of attacks.
  • Many container technologies come with integrated security features that users should set up if they plan to use these platforms.

Enterprises should also consider implementing automated runtime and image scanning, which allows for increased visibility into a container’s processes. Application control and integrity monitoring also help in finding any suspicious activity within the organization’s system.

Trend Micro helps DevOps teams to build securely, ship fast, and run anywhere. The Trend Micro™ Hybrid Cloud Security solution provides powerful, streamlined, and automated security within the organization’s DevOps pipeline and delivers multiple XGen™ threat defense techniques for protecting runtime physical, virtual, and cloud workloads. It also adds protection for containersvia the Deep Security solution and Deep Security Smart Check, which scans Docker container images for malware and vulnerabilities at any interval in the development pipeline to prevent threats before they are deployed.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.