Preventing and Detecting Bitcoin Mining Attacks

It seems that wherever you go these days, or whatever news channel you choose to read or listen to, there’s a good chance you’ll hear about crypto-currencies. A few years ago, only techies knew about Bitcoin; today there’s a chance that even grandma is considering a small investment in the latest ICO. And where there is money, bad guys lying in wait seem to follow.

According to latest research, cryptocurrency mining attacks (known as Cryptojacking) are on the rise. If you are the victim – it could cost you a lot of money. There are many things that could be done to prevent these attacks or detect them quickly – and Dome9 is here to help.

Legitimate Mining vs. Malicious Mining

Cryptocurrencies are using cryptography to secure the transactions and the creation of new “units”. Generating (or “mining”) new units of cryptocurrencies is usually done using a “miner”, a software that use special cryptographic algorithms. For instance, one of the widely used algorithms to mine “Monero” is called CryptoNight.

Mining algorithms require significant processing power. The miners are usually programmed to consume hardware resources like the Central Processing Unit (CPU) or Graphics Processing Unit (GPU). Considering the surge in number of cryptocurrencies out there and the new all-time high that Bitcoin reached, it’s no wonder that the demand for powerful CPUs and high-end GPUs is also on the rise.

Processing power costs money. When such levels of processing power are required, hackers look for every available CPU or GPU. Special malwares were developed to hijack infected host hardware resources, with phishing often as the preferred method of delivery. Obtaining credentials to a cloud account makes the attack more powerful.

Anatomy of Cryptojacking

There are various potential cryptocurrency mining attack scenarios. Let’s explore one of these typical scenarios for advanced cryptojacking:

  1. One of the cloud admins becomes a victim to a phishing attack and is tricked to surrender his/her cloud account credentials.
  2. The attacker uses the credentials and logs into the account. He launches new, powerful, virtual instances (CPU/GPU intensive).
  3. The instances are launched with new key pairs that allow the attacker to login, and assign security groups that provide the instances with needed internet access.
  4. The attacker deploys mining malware on the newly controlled hosts.
  5. The bill will be served to the account owner, and the longer it takes to discover these rogue instances – the higher the bill becomes (one powerful GPU instance, the p3.16xlarge, costs $24.48 per hour!).


Ways to Fight Cryptojacking

There are multiple ways to detect a cryptocurrency mining malware. But like in most cases, prevention is the best way to avoid getting hacked. Let’s explore a few methods to fight cryptojacking.

Locking Down the Security Groups

Dome9 provides a large predefined set of Security Best Practices that can easily be tested against your AWS, Azure and GCP cloud accounts. This set of rules we created test for many security settings that can prevent hackers from gaining access to the accounts, and launching their mining malwares. Strong security foundations start with the simple things, like closing administrative ports and maintaining a regular password rotation policy. With the strong capabilities of the Dome9 Compliance Engine, it is very easy to customize rules and adapt them to your specific organizational security policies.

Dome9 Region Lock provides active protection for the enforcement of your security posture on AWS accounts. Applying the use of region lock, admins can only then use the Dome9 Console to define security group configurations. When Dome9 detects newly created security groups in the protected region, it will immediately have both the ingress and egress rules deleted. By using this feature, the network will become locked for the deployed mining malwares, as they will not be able to communicate with the cryptocurrency network and their remote control on their regular ports. The attempts to customize the security groups will be denied by Dome9.

Limiting Access

Limiting user permissions to applications and services is another powerful way to obstruct the deployment and operation of mining malwares. Another layer of active protection can be achieved by using Dome9 IAM Safety, which restricts users from making unauthorized or accidental changes to account settings without the knowledge and authorization of an administrator.

IAM Safety is based on an IAM policy that denies the permissions of IAM users to perform specific actions which the administrator defines as sensitive. For example, the administrator can restrict the action ec2:RunInstances, which allows the launch of instances. Without this permission, the attackers will not be able to launch new instances that will perform the mining operation. In the same manner, the administrator can restrict other operations that may be required by mining attackers, such as restricting creation of keypairs (ec2:CreateKeyPair) and security groups (ec2:CreateSecurityGroup).

IAM users who wish to access the protected AWS resources must open an authorization window for themselves using Dome9. Without access to Dome9, even if the attackers get a hold of an IAM users credentials, they will not be able to perform the restricted operations.

Fixing the Holes on the Hosts

As host vulnerabilities are discovered (including misconfiguration, OS vulnerabilities – and even hardware related vulnerabilities), it is crucial to patch the instances quickly. Any vulnerabilities can quickly be exploited for any purpose, including for mining cryptocurrency.

For that purpose, Dome9 integrated with AWS Inspector, an automated security assessment service from AWS. The integration allows for a quick detection of host level vulnerabilities, and can be combined with the powerful Dome9 Compliance Engine. Inspector does the scanning, with findings conveniently presented in the Dome9 Console, providing reports, and speeding up the remediation process.

Detecting Suspicious Activities in the Account

Tightening security prevents most of the attacks, but sometimes something can still slip through the cracks. Detecting suspicious activity quickly is key in reducing the damage that may have already been caused.

The Dome9 Compliance Engine allows you to detect suspicious configurations that may indicate an ongoing attack. A breach can sometimes be detected by “technicalities”. For example, creating a list of approved image types allows you to detect instances that are based on an unauthorized image. Writing a rule that detects instances that do not comply with the authorized list is very simple using Dome9’s Governance Specification Language (GSL). Here is example for detecting unauthorized AWS AMIs:

Instance should have image in(‘ami-1234567′,’ami-abc1234’)

The results are displayed in an easy to read report that highlights non-compliant instances:

As already explained, attackers that want to mine cryptocurrency would require CPU/GPU intensive instances. Discovering unauthorized instance types is just as easy. Here is an example for Azure VM types:

VirtualMachine should have size in (‘Standard_F4′,’Standard_F4’)

Another option for locking the account can be relevant when not all regions are utilized. In that case, detection of launched images in unauthorized regions would raise suspicion. Here is a GSL query sample for that detection on GCP environments:

VMInstance should have region in(‘europe-west1′,’us-east1’)

Fighting Cryptojacking Continuously

As cryptocurrency attacks are becoming more popular, more protection measurements are required. Dome9 provides numerous tools for the job, providing prevention and discovery. Locking down cloud accounts is made easier with the active protection provided by Dome9 Region Lock and Dome9 IAM Safety. Both features require access to Dome9 which attackers do not have. Additionally, the detection of suspicious activity becomes a lot easier with the use of Dome9’s Governance Specification Language (GSL), that allows you to customize rules to detect any element that does not comply with your organizational policies.

It is important to run these tests continuously. Periodic detection would discover new suspicious behavior, and reduce potential damage. Dome9 provide methods for continuous compliance, with more options to be released soon.

Read More: 


The Top 12 Threats to Cloud Security 


A Repeatable Model for Cloud First Deployment