Miners as a threat to cloud infrastructure | Kaspersky official blog

As our recent expert study shows, despite both the drop in price of many cryptocurrencies and the decision of one of the biggest cryptocoins — Ethereum — to move away from mining, malicious miners continue to threaten business. Companies that use cloud infrastructure are particularly at risk. We explore the dangers of mining and how to protect the computing resources of a company from it.

Mining is dead. Long live mining

Many predicted the end of the mining rush after Ethereum’s announcement it would move from confirming transactions using the proof-of-work method to the proof-of-stake model. Proof-of-work requires vast computing power, while proof-of-stake needs significantly fewer participants and resources to confirm a transaction — it’s several thousand times more efficient computationally. The abandonment of the proof-of-work concept, in theory, could have caused a significant decrease in mining’s popularity.

The long-awaited switch went ahead on September 15, and to some extent it did indeed hit mining’s popularity. For instance, the price of video cards used for mining Etherium dipped sharply as they flooded the secondary market. Those engaged in legal mining began to either switch to mining other cryptocurrencies or to sell their computing systems or come up with other uses for them. However, this decline in activity does not extend to attackers who mine at others’ expense.

The fact is they were never all that focused on mining Etherium — being only their third most popular coin. Instead, they preferred to mine Monero, which guarantees total anonymity of transactions. To produce Monero, mining is still required, but video cards are not. This cryptocurrency is best mined on ordinary CPUs, which, unlike powerful GPUs, are found in any computer. The most powerful ones work in servers — naturally, they attract attackers most of all.

How miners threaten business

We’ve already talked about the trouble miners can cause for the average user:

  • High electricity bills
  • Sluggish performance caused by high load on the CPU and video card

It might seem like a storm in a teacup: many keep their computers on all the time anyway, and most users can put up with slowdowns. But for business the threats are far worse. Besides the above, unwanted cryptominers can lead to:

  • Accelerated wear and tear of equipment, causing premature failure (also true for private users, but hits business harder)
  • Increased load on company servers, which, just like a DDOS attack, can take services offline; unavailability or unstable operation of services means losses
  • Increased costs of maintaining cloud infrastructure; this, too, is no joke — when at the end of the month Amazon, Google, or Microsoft adds a zero to the bill, this plays havoc with the company’s balance sheet. According to a Google report, in 86% of cases of successful compromise of a Google Cloud Platform account, the attackers installed miners; at the same time, the costs of mining cryptocurrency in cloud infrastructure are on average 53 times higher than the payoff, which, of course, does not stop cybercriminals, since they do not bear the costs

Miners strike terror into infrastructure providers

Miner attacks pose the worst threat to companies that don’t just use cloud infrastructure, but supply clients with services based on the major providers’ clouds. And especially if they provide IaaS (Infrastructure-as-a-Service) or PaaS (Platform-as-a-Service).

The difference between such businesses and the rest is that they should have to worry not only about malicious miners penetrating the infrastructure covertly, but also about regular, legitimate ones.

If a company provides infrastructure or a platform as a service, its clients have a certain degree of freedom in using that infrastructure or platform: they can generally use it as they please, including running various applications — among them miners.

It’s not uncommon for cybercriminals to create multiple accounts on such services all at once, and use these to run miners without letting them consume more resources than the service provides under a free account. Such an attack involving hundreds of accounts can place a monstrous load on the servers, bringing the service to its knees and massively increasing the company’s infrastructure outlays. What’s more, it can be harder for an infrastructure provider to detect such an attack than, say, a SaaS company, since it cannot always see all the processes run by clients due to its own privacy policy.

How business can deal with miners

It’s clear from the above that businesses cannot simply turn a blind eye to the threat of mining. Ideally, it should be prevented in the first place; but if not, it must be detected and stopped as soon as possible.

According to other data from Google, most cases of server compromise are due to weak passwords and insufficient access control. Hence, the focus should be on access to computing resources:

  • Set strong and unique passwords everywhere
  • Always enable two-factor authentication to access the resources of cloud providers (if the password is leaked or brute-forced, the attackers will not gain control over the account without the second factor)
  • Restrict access to infrastructure management — the fewer employees have high access privileges, the less likely access will be compromised
  • Use security solutions that detect suspicious activity on both physical devices and virtual machines

IaaS and PaaS providers, in addition to the above, should:

  • Have the ability to monitor user activity in one way or another; if it’s not possible to monitor active processes at the virtual machine level (preventing execution of identical scripts by different users), at least make sure that one and the same repository is not used by several different accounts
  • Have a well-tuned alert system for atypical activity, and engage experts who can respond quickly
  • Pay increased attention to the timely remediation of vulnerabilities in software that handles the infrastructure or platform, as attackers can exploit them to hack into and install miners