Understanding Cryptojacking — Why It Matters to You and How to Defend Against It

Security researchers have recently uncovered several high profile cases of cryptojacking involving companies like Tesla and the LA Times. In these incidents, cryptocurrency “miners” illegally gained access to an organization’s public cloud services and exploited their computing power to generate more digital coins.

In this blog post, we’ll give you a basic primer on what cryptomining is, how it’s typically done, and how to avoid unintentionally exposing your company to cryptojackers.

What Are Cryptomining and Cryptojacking?

Simply put, in order to get new cryptocurrency into circulation, miners have to use a great deal of computing power to solve complex mathematical puzzles. Solving these puzzles both validates existing transactions on the cryptocurrency’s public ledger (also known as a blockchain), and releases new digital coins into circulation for the miner as a reward. Miners can cash out these digital coins for their local currencies of choice using cryptocurrency exchanges.

Many miners use third-party software or mining protocols to aid them in this process. Some of these seemingly legitimate applications have been used nefariously by cryptojackers to inject mining code into vulnerable or unpatched portions of organizations’ websites or to redirect cloud computing resources through unsecured containers. With cryptojacking, the same incentive that otherwise keeps a blockchain system pure by validating transactions also incentivizes miners to steal valuable computing power for their own monetary gain.

For example, a company called Coinhive lets organizations embed a Javascript-based mining script into their websites, and site visitors can bypass advertisements or receive rewards in exchange for providing CPU power for cryptocurrency mining. According to TechRepublic, in February 2018, thousands of government websites were infected with the Coinhive mining script in the UK, US, and Australia. In addition, the script was injected into a misconfigured AWS S3 bucket accessed via the LA Times’ website.

In the case of Tesla, hackers took over an unsecured Kubernetes administrative console to mine cryptocurrency, and temporarily left an AWS S3 bucket containing sensitive data exposed. They hid their tracks and at first remained undetected by masking their IP addresses behind CDN provider Cloudflare. Luckily, because of Tesla’s ongoing bug bounty program, the company was able to identify the issue and secure both the Kubernetes console and S3 bucket before too much damage was done.

How Can Your Organization Prevent Cryptojacking Attacks?

Many of the principles that apply to web-based vulnerabilities are also best practices for avoiding cryptojacking attacks. Based on recent events, here are a few of our top recommendations:

  1. Install the latest software updates and patches. Ignoring a critical security update or patch is a common mistake that leaves websites vulnerable to attack.
  2. Adopt a SecOps practice. Tightly integrating security into every stage of your development lifecycle will help to ensure that your code is secure and updated. When everyone on your team is responsible for security, it is less likely that vulnerabilities will slip through the cracks in a continuous delivery model.
  3. Configure your cloud environments and containers properly. It seems obvious, but misconfigurations leave doors open to all kinds of attackers. When it comes to container security, there are four major areas to consider:
    • The intrinsic security of the kernel and its support for namespaces and cgroups
    • The attack surface of the container daemon itself
    • Loopholes in the container configuration profile, either by default, or when customized by users
    • The “hardening” security features of the kernel and how they interact with containers
  4. Check that difficult-to-crack passwords are assigned to administrative consoles. All entry points into your cloud infrastructure need to be continuously configured correctly by the people using your system the most. (Threat Stack’s Configuration Audit feature can help.) Regarding passwords, NIST has published some new guidelines that may change the way that users and organizations design and administer their password policies. For your convenience, here’s a summary of the new changes and best practices:
    • Remove periodic password change requirements. Multiple studies have shown that requiring frequent password changes is actually counterproductive to good password security (for example, “password” becomes “password1”, then “password2”, etc.), but the industry has still held onto the practice. Hopefully, NIST’s new recommendations will help change that.
    • Be mindful of the algorithmic complexity song and dance. This includes arbitrary password complexity requirements needing mixtures of upper-case letters, symbols, and numbers.
      • Updates to NIST Special Publication 800-63B https://pages.nist.gov/800-63-3/sp800-63b.html#appA state: “Many attacks associated with the use of passwords are not affected by password complexity and length. Keystroke logging, phishing, and social engineering attacks are equally effective on lengthy, complex passwords as simple ones.”
      • Also as stated in NIST Special Publication 800-63B Digital Identity Guidelines: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf “Highly complex memorized secrets introduce a new potential vulnerability: they are less likely to be memorable, and it is more likely that they will be written down or stored electronically in an unsafe manner. While these practices are not necessarily vulnerable, statistically some methods of recording such secrets will be. This is an additional motivation not to require excessively long or complex memorized secrets.”
    • Require the screening of new passwords against lists of commonly used or compromised passwords. One of the best ways to ratchet up the strength of your users’ passwords is to screen them against lists of dictionary passwords and known compromised passwords.
  5. Leverage the community. As in Tesla’s case, vulnerability reward programs, or bug bounties, can be an effective way to motivate the security community to discover vulnerabilities.
  6. Continuously monitor your cloud environments. You’ll want to look for significant changes in load (such as an irregular number of instances running at the same time), or unauthorized users accessing S3 buckets, which could be indicators of a cryptojacking attack in progress. (Threat Stack is purpose-built to help organizations continuously monitor their cloud environments and identify anomalies in real time.)

Final Words . . .

As InfoSecurity Magazine recently stated, “cryptojacking presents an increasingly dangerous and broad security threat, both to businesses and to essential infrastructure and public services,” and it’s one that all organizations need to be aware of.

As a best practice, we recommend that all organizations implement a proactive and ongoing strategy to continually reassess and strengthen their security posture, starting with a baseline of current strengths and weaknesses. If you’re interested in taking a snapshot of your organization’s current security posture, start with our Cloud SecOps Maturity Assessment. It will help you determine where you are so you can plan where you need to go.

Cloud SecOps Maturity Assessment

Baseline your cloud infrastructure security strategy and find out where you stand.

Take the Assessment