Cryptomining groups fight fiercely for cloud resources

Cryptocurrency mining groups that typically have targeted on-premises servers are now competing fiercely for servers in the cloud.

In a report this week, Trend Micro revealed that, while the seemingly infinite scalability of the cloud makes it attractive for cryptomining, the resources are still relatively limited – which means miscreants not only have to spar with security specialists but also must take on rival gangs.

"The battle to take and retain control over a victim's server is a major driving force for the evolution of these groups' tools and techniques, prompting them to constantly improve their ability to remove competitors from compromised systems and, at the same time, resist their own removal," Trend Micro researchers wrote in a blog post this week.

Such threat groups have long fed off the compute power of GPUs in on-premises systems. However, in recent months they have looked to the cloud to run their malicious operations.

"While GPU-based mining remains the preferred method for most legitimate cryptocurrency miners because of its higher profitability, the scalability of the cloud allows CPU-based mining to become profitable, especially when attackers manage to compromise a large number of cloud-connected machines," the Trend researchers argued.

Once in the cloud, they need to protect their territory and try to expand into that of their peers while fending off incursions from their rivals. To do this, they deploy such techniques such as kill scripts to delete competing cryptominers, and strengthen their obfuscation capabilities and persistence mechanisms, making themselves more difficult to detect and remove.

"Some groups avoid the competition altogether by focusing on different aspects of the system, which results in less crossover between rival groups," the researchers observed.

It's not going away

It's a trend that's gathering steam. In a report issued in November 2021, Google's Cybersecurity Action Team warned cryptomining gangs were exploiting compromised Google Cloud accounts.

And a month earlier, researchers with Ikarus Security put out a similar warning. In February, Google Cloud unveiled Virtual Machine Threat Detection to help detect cryptomining attacks in virtual machines.

While cryptomining may seem relatively innocuous at a time when ransomware and distributed denial-of-service (DDoS) are running rampant and potential cyberthreats spilling out of Russia's invasion of Ukraine are capturing a lot of attention, these threat groups get into the cloud systems the way ransomware and other gangs do – making them potential harbingers of more dangerous attacks to come, according to the researchers.

• Mutating Verblecon malware in illicit cryptomining ... so far
• Thailand bans use of crypto for payments
• Cybercriminals made $7bn in pure profit in 2021, says FBI
• Intel targets cryptocurrency mining, networks, and more with Agilex M-Series FPGAs

"The presence of a cryptocurrency miner in a company's system also serves as a sign that there are deeper issues in the cloud infrastructure," they wrote.

"At first glance, a cryptocurrency-mining attack might not seem as serious a threat as data exfiltration or a ransomware infection. But the method with which malicious actors enter a target's system is practically the same: They exploit a flaw or weakness that the organization's security implementation does not or cannot cover."

That said, there are real financial consequences if a threat group gets into an enterprise's cloud infrastructure and consumes resources for which the company eventually has to pay. Cryptominers use the computing power in systems run by organizations or individuals to mine cryptocurrency and for the most part, the malware runs in the background, though it can be felt in a slowdown of performance and, eventually, in the cost of the power that is being used.

The appliance of science

As an experiment, Trend Micro engineers deployed XMRig – which mines Monero – on one of the vendor's systems. What they saw was a sharp spike in the CPU utilization rate, which jumped from an average of 13 per cent to 100 per cent.

For a single cloud instance, such a steep increase in utilization would translate to a rise in electricity costs from $20 to $130 a month. With organizations typically leveraging large numbers of instances, that would translate to significant electricity costs and slow down a company's online services, which could damage them financially, hurt their reputation among customers and reduce revenues.

The Trend Micro researchers also said companies shouldn't view a cryptomining attack as a singular cybersecurity event – because it indicates problems in a company's security posture that could be exploited by other threat groups.

"Cryptocurrency mining groups enter cloud deployments through similar methods, typically through the exploitation of a security flaw within target systems, such as an unpatched vulnerability, weak credentials, or a misconfigured cloud implementation," they warned. 

That said, each group has its own tools and techniques and, for the most part, looks to avoid the attention of cybsecurity researchers and the public. A group called "Outlaw" continues to operate as it always had, getting into a targeted system by exploiting weaknesses in Internet of Things (IoT) devices and Linux servers or through Secure Shell (SSH) brute force attacks.

Like Outlaw, groups like "Kinsing" and "8220" also try to remain under the radar, despite being among the most active groups Trend Micro analyzed, with at least 1,000 beacons a month reaching their servers. Meanwhile, the group "TeamTNT" usually exploits vulnerable software services to get entrance into the target server and steals credentials for other services before moving on to other hosts. It also is active on social media, interacting with the pubic and security researchers.

The vendor also noted "Kek Security" – a new group with an Internet Relay Chat (IRC) malware called "Necro". The malware, written in Python, includes not only cryptocurrency mining capabilities but also DDoS functionality. The group will integrate new exploits into its malware and target Windows-based platforms.

"Cloud-based cryptocurrency miners will stay and continue to evolve as they battle both security professionals and one another," the researchers wrote. "Therefore, it is imperative for organizations to stay ahead of the game by knowing more about the threats they could face in the cloud." ®