Most cloud-native attacks looking to mine cryptocurrency, report warns
A new threat report from Aqua Security has revealed the majority of attacks analysed on cloud-native infrastructure were for mining cryptocurrency – with a ‘growing, organised and increasingly sophisticated’ pattern of attacks noted.
The report, from Team Nautilus, Aqua’s cybersecurity research unit, detailed a year’s worth of attacks observed in the wild, looking at methods used to attack container infrastructure for the first time. The report also highlighted supply chain attacks as an emerging threat.
With regard to cryptomining, based on the MITRE ATT&CK cybersecurity taxonomy framework, some of the attack vectors used included defence evasion, command and control, and discovery. Some attacks were particularly stealthy, such as each image employing several defence evasion techniques – disabling security tools, utilising anti-debugging – while benign images, enabling the container to download from malicious elements, were also used.
Adversaries mainly used the binary xmrig, or similar, which is an open source Monero cryptominer, across all attack vectors.
The researchers noted more than $4,000 USD – with the potential for more than $35,000 in cryptowallets analysed. Aqua noted this data was ‘inaccurate and possibly biased’, noting Monero being a highly anonymised cryptocurrency. “Although Bitcoin has better publicity than Monero, the last is preferred by the adversaries,” the report noted. “We speculate that they choose Monero since it is considered significantly more anonymous than Bitcoin.”
The report assessed that cryptocurrency remains a potentially financially rewarding endeavour. “Although we consider the balance that we extracted from XMR wallets as partial, it seems that cryptocurrency mining can be highly profitable,” it noted. “With a possible annual profit of almost $8,000 USD from just several wallets, these operations of dozens of wallets can yield a high profit of several hundreds of thousands of dollars.”
“The attacks we observed are a significant step up in attacks targeting cloud-native infrastructure,” said Idan Revivo, head of Team Nautilus at Aqua. “We expect a further increase in sophistication, the use of evasion techniques and diversity of the attack vectors and objectives, since the widespread use of cloud-native technologies makes them a more lucrative target for bad actors.”
Previous reports have noted the lucrative nature of Monero-based cryptominers. Yet a December 2018 study from Unit 42, the threat intelligence arm of Palo Alto Networks, significantly fewer organisations polled experienced cryptojacking activity in their environments. It should be noted that part of this reason was – at the time – a decline in crypto value.
Separately, the US Internal Revenue Service (IRS) is looking to pay a bounty of $625,000 for anyone who can crack Monero’s privacy protocols. As reported by Hot for Security, the IRS’s call for contractors is offering a tender to those who can assist in breaking Monero, other anonymity-enhanced cryptocurrency, or Lightning or other Layer 2 off-chain cryptocurrency protocols.
You can read the full Aqua Security report here (email required).