Tools Resources

Protect Your Business from Being Cryptojacked!

By: Tim Szigeti

Jul 12, 2024

Overview

Cryptojacking is rapidly emerging as the most popular type of attack on cloud native applications and infrastructure. Care to guess how many cryptojacking attacks were recording in 2023? As a reference point, in the year before (2022), there were 139M cryptojacking attacks. However, this number jumped 659% the following year (2023) to 1.06B! That averages nearly 3M cryptojacking attacks every day, on average.

It’s easy to see why such attacks are so popular: attackers begin making money as soon as their cryptomining scripts launch. There’s no negotiating with companies or insurers about holding data ransom and the terms of release, etc. All they have to do is find a way to exploit vulnerabilities, misconfigurations, or permissive roles to take control of a business’s cloud infrastructure and utilize these for their own purposes. And there is a myriad of combinations they can exploit to these ends.

Anatomy of an attack

For instance, let’s forensically analyze such an attack that made cyber headlines on Telsa Motors. It really bears emphasizing that we’re not picking on Tesla here, but simply using this publicized example to illustrate the methods these cryptojacking attacks can utilize. Furthermore, we’ll examine just how prevalent the vectors and vulnerabilities are that made such an attack possible. This particular cryptojacking attack is illustrated below.

Figure 1
Figure 1: Cryptojacking Attack on Tesla Motors

As shown in the above figure, one of the first things the attacker exploited was a publicly accessible Amazon EC2 instance; specifically the API server to this compute cluster was publicly exposed. This is a very common misconfiguration that has been identified in Open Worldwide Application Security Project (OWASP) Cloud Application Security Top-10 lists. Additionally, once in, the attackers found some embedded secrets in some Kubernetes object. This is also a very common vulnerability, as developers sometimes hardcode username/password combinations into objects for testing purposes (rather than using Kubernetes Secrets, which takes more steps, but is more secure). These developers generally intend to remove these (temporary) credential additions into objects, but at times, they forget to do so and the credential lingers.

Once these embedded credentials were found, the attacks then were able to use them to log into the cluster with elevated privileges, and immediately set about launching their cryptomining scripts. Additional snooping led them to find some proprietary data in an Amazon Simple Storage Service (S3) bucket, but there was no mention of this data being used or leaked. The immediate goal of the attackers was simply to cryptomine and to do so as long as possible by evading detection.

Not an inexpensive, isolated incident

Was this attack an isolated incident? Not by any means, as can be seen by the statistics below. These attacks, as well as the vectors and vulnerabilities that enable them are exceedingly common.

Figure 2
Figure 2: Cryptojacking Statistics and Enabling Vectors

And finally, once the attacks have been successful, they can operate a long time before detection. For example, according to IBM’s Cost of a Data Breach Report 2023, it still takes companies on over 200 days, on average, to identify breaches.

Securing your cloud environments

So, how can we protect ourselves against such cryptojacking? Check out the video below to see how easy this is with Panoptica/Cisco Cloud Application Security.

It’s really that easy. Panoptica’s Attack Path Analysis allows you to correlate vulnerabilities and risks, to think like an attacker, so that you can prioritize the most critical exposures in your cloud environment. And Panoptica’s Smart Cloud Detection and Response (Smart CDR) allows you to stay protected, even as these attacks evolve and mutate, allowing you to discover and respond to new attacks in minutes (vs. 200+ days!)

So why not take Panoptica for a free test drive and see how it can help secure your cloud native applications and infrastructure? Get started at panoptica.app today!

Panoptica blog

Becca Gomby

Thursday, Oct 24th, 2024

Becca Gomby

Friday, Oct 18th, 2024

Becca Gomby

Friday, Oct 4th, 2024

Becca Gomby

Friday, Sep 27th, 2024

Popup Image