Cryptojacking has become a popular way for cyber criminals to earn easy (crypto)coin without a huge amount of effort or high risk of repercussions. A recent report published by the Cyber Threat Alliance (CTA) shows that cryptocurrency malware detection rose 459% between 2017 and 2018.1 While cryptocurrency mining isn’t likely to become the top cyber threat companies have to handle, its prevalence and ease of deployment mean that organizations need to be on the lookout, lest become unwitting victims that risk taking a hit to system performance and cloud consumption costs.
Generally speaking, crypto mining is considered an end user device problem — an individual’s laptop, smartphone, or IoT device is the host for crypto mining software. However, public cloud is a perfect place for threat actors to drop malware and launch a “low and slow” attack that feeds off the cloud consumer’s usage. Large enterprises are more likely to have extensive IaaS deployed, so it could take some time before anyone notices a significant bump in the monthly bill and starts searching for a root cause.
The main consideration with cryptocurrency mining (the legitimate kind, that is) is paying for the power it takes to mine enough cryptocurrency to make it worth the miner’s while. Attackers aren’t footing the bill for usage, though, so anything they can skim off the top after the cost of creating the malware (which is typically nominal) is gravy. All an attacker needs to do to start collecting cryptocurrency is exploit a bunch of public clouds spread out over a variety of consumers, spin up a few virtual instances in each of them (not so many that the CPU usage on any one goes through the roof), create new key pairs that allow login and access to the internet, then deploy mining malware on the host. Voilá! Let the mining begin! An attacker can sit in the cloud until the legitimate consumer eventually detects the presence of malware, removes it, and revokes access. To date, no cryptojacking criminal has been arrested or prosecuted for a crime. Gravy.
Given this simple pirating process, it’s easy to see how Trend Micro found that unauthorized usage of CPU resources for the purposes of mining cryptocurrency increased by 1000% in the first six months of 2018. If further supporting evidence is needed, Kaspersky reported that “the total number of users who encountered [crypto] miners rose by almost 44%” between 2016-2018. These are some depressing statistics, but it’s not terribly surprising if you stop to think about how malware propagates, especially in a cloud environment.
Freeloading on address-based network protocols
Many traditional security and malware detection tools rely in IP addresses, ports, protocols, and packets to determine if a piece of software is allowed to communicate in a network. The problem with this is that address-based protocols are easily hijacked by adversaries. With packet inspection, anything beyond the first four packets in a data transfer aren’t inspected, which means that altered software can slip past packet inspection tools. Hence the prevalence and continuation of cryptojacking malware. Further, if an attacker is able to exploit a vulnerability in the operating system or misconfiguration of the cloud, or phish a pair of legitimate administrator credentials, they can seamlessly enter the environment, drop malware on the system, and the host will be none-the-wiser until the company’s monthly billing cycle needs to be paid.
Request a demo of zero trust segmentation today and protect your hybrid cloud from malware.
Considering all of the other varieties of cyber crime possible, dealing with and/or disputing a CPU usage bill doesn’t seem like an enormous price to pay (literally or figuratively). That said, crypto mining malware is not all that different from other malware placed surreptitiously in a network environment — and companies need to start implementing technologies and processes that prevent the addition and spread of malware rather than relying on—hopefully—early detection.
Crashing cryptojacking with zero trust
In a zero trust network, any new software that appears in the environment, legitimate or not, will be prevented from communicating over network or application pathways until its validity is confirmed. Zero trust means:
- The internal network is assumed to be just as hostile as the internet;
- Only verified users (meaning: credentialed users, devices, services, applications, and hosts) are allowed to communicate on the network;
- Re-authorization and re-authentication occur prior to every communication attempt;
- All access is set to least privilege; and
- Network locality is not a valid control to determine trust.
What this means is that if an attacker drops crypto mining software into a zero trust cloud environment, the software will be prevented from sending or receiving communications — because it doesn’t belong there. In addition, if authorization and authentication are based on the identity of the software itself and not network constructs (e.g., IP addresses), network communication pathways will also be protected because malicious software won’t be communicating across them. As a result, organizations will have much cleaner and visibly-reduced network attack surfaces.
Of course, zero trust is a methodology and not a tool, but many commercial tools (shameless plug headed your way) are incorporating zero trust into their feature sets. Edgewise’s zero trust segmentation platform was built specifically for the purposes of reducing network attack surface, preventing the propagation of malware, and providing visibility into risky network communication. It’s therefore because of tools like Edgewise which incorporate zero trust principles that organizations can avoid having their cloud become a host for cryptocurrency mining. While the effects of a crypto mining attack aren’t as severe as, say, the compromise of 10 terabytes of customer PII, the root cause of a malware attack hasn’t changed. And that’s something organizations can do something about. Implementing a zero trust framework that underpins all technologies and processes, and removing reliance on network constructs (i.e., IP addresses as a source of truth) means that companies will be able to prevent malicious software from communicating in the first place, no high price to pay.
1. A separate report from Malwarebytes showed a 26% decrease in cryptojacking in Q3 2018