Will cryptocurrency mining soon saturate AWS, Microsoft Azure and Google Cloud?

By Byron V. Acohido

Don’t look now but cryptojacking may be about to metastasize into the scourge of cloud services.

Cryptojacking, as defined by the Federal Trade Commission, is the use of JavaScript code to capture cryptocurrencies in users’ browsers without asking permission. There’s a temptation to dismiss it as a mere nuisance; companies deep into ‘digital transformation,’ in particular,  might be lulled into this sort of apathy.

Related: Why cryptojacking is more insidious than ransomware

On the face, the damage caused by cryptojacking may appear to be mostly limited to consumers and website publishers who are getting their computing resources diverted to mining fresh units of Monero, Ethereum and Bytecoin on behalf of leeching attackers.

However, closer inspection reveals how cryptojacking morphed out of the ransomware plague of 2015 and 2016. What’s more, by connecting a few dots, it becomes clear a recent surge of cryptojacking could signal a steep rise in a similar form of illicit cryptocurrency mining — one that could materially disrupt cloud services, namely Amazon Web Services, Microsoft Azure and Google Cloud.

I arrived at these conclusions after a riveting discussion with Juniper Networks’ cybersecurity strategist Nick Bilogorskiy, one of the top analysts tracking emerging cyber threats. For a drill down on our discussion, please listen to the accompanying podcast. Here are excerpts edited for clarity and length:

LW: Is there a connection between cryptojacking and ransomware?

Bilogorskiy: Before 2013 a lot of malware was focused on spam, DDoS and monetizing through malicious advertising and ad fraud. But in 2013 we saw the first crypto-ransomware, called CryptoLocker, that started a transition to monetization through crypto ransomware.

In 2014, we saw a new version of it, called CryptoWall, and basically more and more of these ransomware attacks followed until it really peaked last year, with more than $5 billion dollars lost from ransomware attacks.

It was mostly a consumer attack. You get it on your machine, it locks you and asks you for a Bitcoin. And people would pay that. But then they transitioned into hitting healthcare, hospitals, schools. Usually people would pay maybe a thousand dollars for the data. But a company could pay tens of thousands or hundreds of thousands.

LW: So cryptocurrency got discovered as the ideal payment vehicle for ransomware.

Bilogorskiy: Exactly. We saw ransomware before Bitcoin, where they asked for payments in various pre-Bitcoin things, like iTunes gift cards, or MoneyPak. But it was never quite as successful because Bitcoin gives you anonymity. Then the value of peer-to-peer transactions skyrocketed. It was insane. In 2011, total cryptocurrency value was about $10 billion. Now it’s closer to $900 billion.

LW: Somehow cryptojacking arose out of this?


Bilogorskiy: There are only a few ways to get cryptocurrency. You can mine them, if you have a powerful CPU. Or you can steal them from a digital wallet. Or you can hijack other people’s computers to do the mining. Or, of course, you can take someone’s data hostage and ask them to pay the ransom in Bitcoin.

Crypto ransomware hit the scene first and became very popular. But now, with people protecting themselves better from ransomware, the attackers have moved on to the next thing they can do.

LW: I can’t really use my MacBook to mine Bitcoin, can I?

Bilogorskiy: Bitcoin is at the end of its cycle and it now takes special purpose hardware to mine Bitcoin. But Monero hit the scene last year with a special algorithm which makes it still effective to mine Monero on smartphones and computers.

Then a JavaScript library called Coinhive came along that enabled people to embed mining code on their websites. And as soon as they did that on a website, they had a pop-up in the browser and that pop up mined Monero.

LW: That’s pretty convenient.

Bilogorskiy:  It was very clever way to monetize blogs. But people didn’t really like it because their machines heated up, it was noisy and the CPU maxed out. New websites tried and deleted it. But then attackers began to compromise websites and embed Coinhive on these websites, and redirect currency, mined through the browsers, to their own wallets.

That’s the threat known as cryptojacking. That’s when you hack and hijack a website, embed Coinhive on it so that all of the visitors are now mining Monero, and that goes to your wallet as an attack. This is happening now, and getting worse every month.

LW: So how is the ‘victim’ really affected?

Bilogorskiy:  There’s no money stolen from them.  But their computer resources are being hijacked, so they will see the computer heating up, their phone heating, the unit slows down and it might become unusable. The effect to web masters whose sites are hijacked is that people complain, the site may get blacklisted, and people will stop coming to the site.

LW: What other variants should companies be concerned about?

Bilogorskiy: One other kind of attack that we’ve seen is where companies get hacked and those computers have mining malware put on them. It’s similar in the sense that there is malware that gets put on computers, and they’ll compromise as many servers as they can to put them to work mining Monero.

LW: What level of those types of attacks are you seeing?

Bilogorskiy:  That’s been happening a lot, especially with companies moving their computing into the cloud. Google and Amazon machines are getting hijacked for crypto malware mining. The attackers can put malware designed to mine crypto currencies on those cloud endpoints.  It’s happening a lot, especially if you don’t secure your keys for your cloud very well.

One of the top attacks this year is putting malware on corporate cloud resources. And you would only know you’ve been victimized because you get a bill from Amazon or Google or Microsoft, and you see your bill go up proportional to your CPU and memory usage.

LW: How can SMBs, who are turning to cloud services in a big way, reduce their exposure?

Bilogorskiy:  The most important thing is to keep access to these cloud resources very private and very secure. We live in an era of breaches and every breach usually results in data leaks, including a lot of logons and passwords.

The easiest way to get into a company is to just to look online for some stolen passwords, and try some of those passwords until you get one that gets into the company.

LW: Or gets you over to where their cloud resources are.

Bilogorskiy:  Correct, because people share passwords. And there are automated tools to feed millions of passwords into different IP addresses, through proxies. This is called credential stuffing.

To bring our conversation back to crypto, companies need to make sure that credential stuffing attacks do not happen to their cloud resources. This means making sure that their keys to get into their cloud presence are not shared and are not compromised, because those resources will end up mining cryptocurrency and causing them financial damage.

LW: The other side of that coin is, if you see your AWS bill triple, it’s probably someone crypto mining off your cloud resources.

Bilogorskiy: That is very likely. We’ve seen the whole cycle going from ransomware, to cryptojacking on websites, and now to hacking the cloud presence of companies for mining malware. Those are the main attacks we’ve seen over the past couple of years.

LW: Do companies get this yet?

Bilogorskiy:  People’s behavior usually does not change unless there is a significant incident that forces them to change. Right now, less than one in 10 people actually use that second level of protection, above passwords. And we’ve talked about how important it is not to on passwords alone. So I expect that we will see a significant global event that will change people’s attitudes. But until that happens, I expect more of the same, both crypto mining attacks and cryptojacking to continue to accelerate.

(Editor’s note: Last Watchdog has supplied consulting services to Juniper Networks.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone