Cloud systems and resources are the new battleground for crypto mining threat actors

Hong Kong: Malicious crypto mining threat groups have turned Cloud CPU into the new attack surface revealed a new report.

When it comes to cryptocurrency mining, like any other business, the cost of resources and profitability ratio has become very critical factor from the security and threat landscape perspective.

Malicious crypto-mining groups are engaged in a fierce, round-the-clock battle over cloud resources, which they use for cryptocurrency mining, according to the Trend Micro report. And this has turned the CPU in the cloud or simply the Cloud CPU into the new attack surface for malicious cryptocurrency mining groups.

“Just a few hours of compromise could result in profits for the perpetrators. That’s why we’re seeing a continuous fight for cloud CPU resources. It’s akin to a real-life capture-the-flag, with the victim’s cloud infrastructure the battleground,” said Stephen Hilt, Senior Threat Researcher – Trend Micro.

“Threats like this need joined-up, platform-based security to ensure the bad guys have nowhere to hide. The right platform will help teams map their attack surface, assess risk, and apply for the right protection without adding excessive overheads,” added Hilt.

Targetting the Cloud assets

Threat actors are increasingly scanning for and exploiting these exposed instances, as well as brute-forcing SecureShell (SSH) credentials, in order to compromise cloud assets for cryptocurrency mining, the report reveals.

These actors target cloud resources based on security gaps and vulnerabilities such as having outdated cloud software in the cloud environment, poor cloud security hygiene, or inadequate knowledge on how to secure cloud services.

That’s how the malicious actors exploit cloud infrastructure and assets to gain access to the systems.

Cloud computing investments have surged during the pandemic. However, the ease of deployment of these new assets has also left many cloud instances online for longer than needed—unpatched and misconfigured.

On one hand, this extra computing workload threatens to slow key user-facing services for victim organisations, as well as increase operating costs by up to 600% for every infected system.

Cryptocurrency mining can also be a precursor to more serious compromise. Many mature threat actors deploy mining software to generate additional revenue before online buyers purchase access for ransomware, data theft, and more.

The Trend Micro report details the activity of multiple threat actor groups in this space, including:

Outlaw, which compromises IoT devices and Linux cloud servers by exploiting known vulnerabilities or performing brute-force SSH attacks.

TeamTNT exploits vulnerable software to compromise hosts before stealing credentials for other services to help it move around to new hosts and abuse any misconfigured services.

Kinsing, which sets up an XMRig kit for mining Monero and kicks any other miners off a victim system.

8220 has been observed fighting Kinsing over the same resources. They frequently eject each other from a host and then install their own cryptocurrency miners.

Kek Security has been associated with IoT malware and running botnet services.