The marketing team was ecstatic: Their online campaign was an unqualified success, judging by the ever-increasing compute cycles being used by their cloud services provider. The campaign was built to take advantage of the scale the cloud offers, so as demand ramped up, so did the number of CPUs.
And then someone realized it was too good to be true.
“It turned out they were [unknowingly] running one of the largest cryptocurrency operations ever seen because they had not protected themselves,” recounts Robert Falzon, head of engineering at Check Point Software Canada. “That company was on the hook for hundreds of thousands of dollars in compute cycles that were fraudulently stolen from them.”
When most CISOs think about how their organizations might experience fraud, the list probably includes business email schemes, product refund scams, identity fraud and credit card abuse. They might not immediately think of an IT infrastructure con right under their noses stealing compute cycles for cryptomining.
Also called cryptojacking, it’s one of several frauds ITWorldCanada.com discussed with experts as Fraud Prevention Month comes to a close.
In fact, Fazon said, illegal cryptomining has been increasing this year because the price of bitcoin has been soaring since January.
“’To save money, a lot of organizations are shifting their technology to cloud with the expectation that it has the same security controls as they might have in their data centre. That’s a huge problem,” said Falzon. “The fact is many businesses are not aware that the same security controls that exist in their local networks are not automatically available in the cloud. They’re not taking the same precautions as if this infrastructure was in their own data centre. So we’re seeing a spate of attacks on cloud infrastructure.”
Greg Young, vice-president of cybersecurity at Trend Micro is seeing the same thing.
“Quite often, we see organizations not defending themselves against traditional ransomware, thinking they’re free from ransomware because their machines are locked up. But it turns out their machines have been exploited for some time. Two digits (per cent) of their Amazon bill can be attributed to cryptomining. It turns out they’re being mined, not ransomed. In fact, the loss is probably many factors more than what they would have lost if they had been ransomed.
“If you’re not asking for or using the tools to monitor your billing, that’s up to you,” he said.
He added that infrastructure-as-a-service providers ought to notice and alert customers of unusual usage patterns, although many don’t. “Unfortunately, it’s up to the customers to defend themselves.”
Taking advantage of unfamiliarity
Young said that hackers specializing in illegal cryptomining are taking advantage of infosec teams’ relative unfamiliarity with cloud security and billing. Secure cloud configurations, particularly with multi-factor authentication and access control, is one defence. Monitoring spending through billing ceilings is another.
“Security was often blind to issues of spending, but now we have to get involved in that.”
He also said CISOs have to monitor compute usage. If there’s a spike in a department that shouldn’t be seeing an increase, it’s a sign of an investigation.
Cryptojacking has been on the rise for some time. In January, Palo Alto Networks released a report on a threat actor called the Rocke Group, responsible for installing malware researchers dub Pro-Ocean.
Pro-Ocean takes advantage of known vulnerabilities in Apache Active, Oracle WebLogic and Redis to compromise cloud applications. It can uninstall monitoring agents to avoid detection. It also tries to remove other malware and miners. Once installed, the malware kills any process that uses the CPU heavily so that it’s able to use 100 per cent of the CPU and mine Monero efficiently.
In February, Palo Alto Network researchers also reported on a new campaign from a threat group called TeamTNT that was targeting misconfigured Kubernetes clusters for cryptomining.
Earlier this year Sophos detected a cryptomining scheme that takes advantage of databases to install the MrbMiner. The report notes that database servers need higher performance than servers hosting other enterprise applications. As a result, they’re targets for cryptocurrency miners.
Microsoft warned in December an unnamed nation-state has been running cyberespionage attacks since the summer that included deploying Monero software coin miners.
One solution to cryptojacking may come from the U.S. Department of Energy, a big user of compute power and an organization that looks for ways to avoid its servers from being exploited. In February, the cryptocurrency news site Coindesk reported the department had created a cryptojacking detection algorithm that it wants the private sector to help commercialize.
More than cryptomining
Cryptomining isn’t the only different type of fraud going around. In December, IBM detailed one of the most sophisticated fraud schemes it’s seen that involved mobile device emulators simulating smartphones logging into customers’ bank accounts. The unknown gang managed to steal millions of dollars from financial institutions in Europe and the U.S within days.
The scam was able to bypass SMS codes use for two-factor authentication.
“We don’t know a lot of cybercriminal groups that have these abilities,” report co-author Limor Kessem, an executive security advisor IBM Security, said in an interview.
“Every service provider now has to identify their customer, to figure out if they’re talking to the right person” in any channel, be it voice or email. “They can fail to stop fraud when they don’t have the right controls and processes in place.
“For example, a problem that costs banks about $6 billion a year is called synthetic identities. These usually start when a cybercriminal finds a social security number of a child or somebody without credit history and pile on other data to make it look like an identity – but it has just one valid detail,” Kessem explained.
If a transaction using that ID goes through, the identity becomes established in credit bureaus and banks, making it ready for use in more fraudulent activity.
An organization that doesn’t have a ‘know your customer’ process to figure out who they are dealing with is in trouble, she said. Sometimes the answer is process, Kessem added, while other times, it’s technology.
Asked how CISOs can help their organizations stop fraud, Kessem said she’s big on security awareness training. Far too often, she added, training is general and doesn’t relate to an employee’s role. She also said she’s heard from many people working from home due to the pandemic and say they haven’t had awareness training in a while.
Restricting access to sensitive data is another tactic, she said. It can limit the damage attackers can do if they manage to steal an employee’s credentials.
“Another thing that’s been astounding me over the years is how many companies don’t roll out multifactor authentication,” she added. These days organizations must impose other ways of authentication besides passwords alone.
“I’ve been hearing from customers that had it on their roadmap for the past seven to 10 years but haven’t rolled it out for a variety of reasons.”