Cryptojacking – A Stealthy Threat

Cryptojacking, the unauthorized use of someone else’s computing resources for cryptocurrency mining, is a silent but rapidly growing menace. As digital currencies gain mainstream acceptance, cybercriminals are capitalizing on this opportunity to hijack your devices and infrastructure for their nefarious mining operations.

The Cryptocurrency Landscape

• Global Acceptance – Countries like Australia and Japan have recognized cryptocurrencies as legal payment methods.
• Diverse Offerings – Beyond bitcoin, currencies like Ethereum, Litecoin, Dogecoin, and Monero have emerged.

Cryptojacking Explained

How Cryptojacking Works

1. Legitimate Mining. Involves solving complex cryptographic problems to release new cryptocurrency units.
2. Resource Theft. Cybercriminals steal computing resources, reducing their costs by exploiting devices, servers, and cloud infrastructure.
3. Attack Methods. Various hacking techniques, such as malware distribution, vulnerability exploitation, and supply chain attacks, are used to access systems and run illicit mining operations.

Popular Attack Methods

• Endpoint Attacks. Malware is delivered through phishing, fileless malware, or embedded scripts on compromised websites.
• Server and Network Attacks. Exploiting vulnerabilities in servers and network devices exposed to the public internet.
• Software Supply Chain Attacks. Embedding cryptojacking scripts in open-source code repositories and software dependencies.
• Cloud Infrastructure Exploitation. Abusing cloud services and resources to scale mining operations and evade detection.

Real-World Cryptojacking Examples

• 🐕 WatchDog targets Docker Engine API and Redis servers.
• ☁️ TeamTNT and Kinsig gang focus on cloud-oriented services like Alibaba ECS instances.
• 🕷️ Log4Shell vulnerability exploited for attacking VMware Horizon servers.
• 📦 Supply chain attacks via compromised npm libraries.
• 🇷🇴 Romanian attackers target Linux machines with Monero mining malware.
• 🕵️ CoinStomp employs sophisticated evasion tactics.
• 🏭 Discovery of a cryptomining farm in a disguised warehouse.

Statistics and Trends

Various devices, including Windows systems, Macintosh OSes, Ubuntu OS, routers, and IoT devices, were involved in unauthorized bitcoin mining.

The table above shows the rapid growth of cryptojacking attacks in recent years. As scaling companies and DevSecOps engineers, you must recognize the urgency of implementing robust security measures. 4,894 bitcoin miners triggered over 460,259 mining activities, with 20% initiating web and network-based attacks. 

• 97.1 million cryptojacking attacks were witnessed just three years ago.
• 58.4% of detected Trojans in the last year were crypto jacking coin miners.

Cryptocurrency-Mining Malware

Types of Malware – Cybercriminals exploit the profitability and anonymity of cryptocurrencies through malware, turning systems into mining machines. Notable malware includes:

• Adylkuzz
• CPUMiner/EternalMiner
• Linux.MulDrop.14

These malware varieties exploit vulnerabilities like EternalBlue and SambaCry.

Attack Vectors

• Malware-laden emails
• Malicious URLs
• Software vulnerabilities
• Exploiting compromised environments

According to the Threat Horizons report, attackers often download mining software within 22 seconds of compromising a system. This is where you need to hone it and add tooling that deals with lightning-fast attacks!

Cryptojacking in the Age of AI – Current Tooling Falls Short

Imagine training a cutting-edge AI model, only to have its processing power secretly hijacked for cryptocurrency mining. That’s the sneaky threat of cryptojacking in AI environments. The problem? Traditional anomaly detection struggles. Separating the legitimate hum of AI tasks from the malicious whispers of crypto mining is difficult. Imagine a high-powered graphics card (GPU) used for image recognition – cryptojackers can piggyback on its resources, slowing down training and impacting accuracy.

This lack of clear differentiation throws a wrench into ML-based detection.  Popular frameworks like Kubeflow and Tensorflow pipelines, crucial for building and deploying AI, are vulnerable. Existing solutions might also cripple AI performance with their heavy monitoring, making them a double-edged sword. The impact is clear: compromised projects, wasted resources, and potentially skewed results. We need smarter solutions to secure the future.

Impact and Threats of Cryptojacking

Performance Degradation – Cryptocurrency-mining malware significantly affects system performance, causing systems to slow down, lag, or become unresponsive.

Hardware Damage and Power Consumption

• Increased wear and tear, leading to potential hardware failures.
• Additional power consumption, driving up utility costs.

Web and Network-based Attacks – Infections can lead to web and network-based attacks, impacting the availability, integrity, and security of networks and systems. IoT Device Vulnerabilities – Internet of Things (IoT) devices, including routers, cameras, and smart TVs, are increasingly targeted, further expanding the threat landscape. The impact of cryptojacking extends beyond performance issues, posing significant risks to hardware, energy consumption, network security, and the rapidly growing IoT ecosystem.

Common Traits of Kubernetes-Based Cryptominers

• One of the most prominent traits observed in Kubernetes-based cryptominers is their preference for DaemonSet deployments. Attackers ensure that at most one mining pod is installed per node, preventing their mining executions from interfering with each other. This strategic approach maximizes resource utilization and mining efficiency.
• Use of the /tmp/ folder for loading and executing mining tools. This temporary directory is often allowed write access because many applications write temporary files there, making it an attractive target for cryptominers to deploy their malicious payloads.
• Network connectivity is essential for cryptominers to synchronize with mining pools and send mining results. These tools require the ability to load ledgers from the internet, necessitating some form of network access or synchronization mechanism.
• For widespread propagation, cryptominers exploit privileged access or cluster-admin roles, granting them the ability to spread their malicious payloads across the entire Kubernetes cluster.
• Popular mining software like xmrig is common, as its widespread adoption and familiarity make it a go-to choice for cybercriminals. Internet-accessible systems are prime targets, providing an entry point for initial exploitation and subsequent mining operations.
• Time synchronization is a critical aspect of cryptomining, as mining software relies on accurate time coordination. Pre-installed tools like ntpdate ensure precise time synchronization.
• In some cases, cryptominers may require privileged permissions to execute their payloads effectively, further emphasizing the need for robust security measures.

Emerging Cryptojacking Campaigns

Cybersecurity researchers have discovered a novel Dero cryptojacking operation targeting Kubernetes clusters, a shift from Monero for potentially larger rewards. The attacks involve scanning for Kubernetes clusters with anonymous access and deploying initial payloads from three U.S.-based IP addresses. Microsoft has warned of a Chinese hacking group, 8220, updating their malware tools for crypto mining on Linux servers. The group, active since early 2017, targeted i686 and x86_64 Linux systems using exploits for Atlassian Confluence Server and Oracle WebLogic. The attacker, likely affiliated with the 8220 Gang, employs an IP filter for targeted attacks and uses a mining proxy technique. Silentbob, another prominent threat, targets cloud-native environments using an aggressive cloud worm on vulnerable JupyterLab and Docker APIs.

Cryptojacking Protection with AccuKnox and KubeArmor

To effectively combat the growing menace of cryptojacking, AccuKnox takes a multi-layered security approach tailored to your organization’s Kubernetes environments. Our Cloud Native Application Protection Platform (CNAPP) is a powerful combination of tools and features for end-to-end protection against such malicious mining activities.

KubeArmor policy template for preventing cryptominers execution

KubeArmor empowers DevSecOp teams to create and enforce granular security policies that prevent the execution of known crypto-mining software within their Kubernetes clusters. The provided policy template demonstrates how KubeArmor can block the execution of popular mining tools like xmrig, Dero miner, and PwnRig miner, effectively thwarting cryptojacking attempts before they take hold.

This policy template not only blocks the execution of known mining software but also prevents other malicious activities commonly associated with cryptojacking attacks, such as reconnaissance tools like masscan, zgrab2, and nmap. Additionally, it restricts the execution of binaries from the /tmp/ folder, a common tactic used by cryptominers to deploy and run their malicious payloads.

AccuKnox Differentiators to Thwart Cryptojackers

• Multi-Layer defence for Cryptominers – works across K8s, Containers, Networks, Applications
• Not just detection but preemptive mitigation
• Negligible runtime performance impact
• No dependency on ML algorithms
• Simple/Scalable deployment model
• Prevents cryptominers on k8s, containers and Virtual Machines

Defending Against Emerging Cryptojacking Threats with KubeArmor

Prevent unauthorized access by blocking network, process execution, and file access from unknown binaries with our Zero-Trust driven CNAPP featuring least-permissive YAML policies. This proactive approach reduces the risk of harmful binaries installation and execution in Kubernetes clusters. AccuKnox and KubeArmor’s defenses against new cryptojacking threats counter evolving fraudster strategies. Insights reveal common characteristics of Kubernetes-based cryptominers: dynamic downloading, accessory tooling execution, DaemonSets deployment, and network connectivity for synchronization. We also employ an LLM-based interface to detect cryptomining based on recurring patterns and behaviors. Leverage this to your benefit so you don’t have to rely solely on predefined rules or signatures.

In the face of these evolving cryptojacking threats, KubeArmor emerges as a powerful security tool for protecting Kubernetes environments. Security professionals may easily block the execution of known crypto mining software within their Kubernetes clusters by using KubeArmor’s granular security settings to their benefit. For instance, KubeArmor can be configured to block the execution of specific miner binaries, such as those associated with the Dero miner campaign. This targeted approach not only stops the execution of the mining software but also prevents the use of tools like ntpdate, which are commonly employed by miners for time synchronization.

# Targeted KubeArmor Policy for Dero Miner
- execname: dero-miner-linux-amd64
- execname: dero-wallet-cli-linux-amd64 
- execname: derod-linux-amd64
- path: /usr/sbin/ntpdate

PwnRig miner

Microsoft warns of a Chinese hacking group, 8220, updating malware tools for crypto mining on Linux servers. The group, active since early 2017 and linked to Monero mining, recently targeted i686 and x86_64 Linux systems using exploits for Atlassian Confluence Server and Oracle WebLogic. The attacks deploy a PwnRig miner and an IRC bot, employing evasion tactics like log erasure and disabling cloud monitoring. The malware achieves persistence via a cron job and spreads through SSH servers using tools like ‘masscan’ and ‘spirit.’ Akamai notes a surge in exploitation attempts on the Atlassian Confluence flaw, mostly originating from the U.S. The attacks heavily impact commerce (38%), high-tech, and financial services, constituting over 75% of the activity. Akamai warns of a sustained exploitation trend for CVE-2022-26134 in the coming years.

Attackers affiliated with the 8220 Gang employ an IP filter for targeted attacks and use a mining proxy technique. Previous campaigns used an IP list filter, suggesting a more focused approach. Attribution is moderate, linking the campaign to the 8220 Gang based on past activities and infrastructure reuse. Estimated victims range from 1500 to 2000 hosts, with potential significant mining income from a 2000-worker botnet. 

How AccuKnox policy rules protect against these types of attacks?

• Disallow execution of code from the /tmp/ folder
  • PwnRig downloads the malware loader dynamically from the Internet, places it in /tmp/, and executes it from there.
• Disallow “Tsunami IRC bot”
• Disallow execution of package management tools
  • PwnRig installs masscan dynamically to scan for exposed Docker APIs

TeamTNT Silentbob

Silentbob, a cyber attack campaign, actively targets cloud-native environments using an aggressive cloud worm on vulnerable JupyterLab and Docker APIs. Associated with TeamTNT, the campaign discovered four malicious container images exploiting Docker and Jupyter Lab instances, promptly removed by Docker. The infected container executes a cryptocurrency miner and downloads additional binaries, potentially Tsunami malware. The strategy involves identifying misconfigured servers (Docker API or JupyterLab) and spreading malware across 51 exploited servers. The secondary payload includes a crypto miner and a backdoor with Tsunami malware, showcasing the multifaceted threat. Live manual attacks use masscan to scan for exposed Docker APIs, revealing sophisticated tactics.

How AccuKnox policy rules protect against these types of attacks?

• Disallow execution of package management tools
  • PwnRig installs masscan dynamically to scan for exposed Docker APIs
• Disallow execution of Zgrab scanner (github.com/zmap/zgrab2)
• Runtime protection from TNTBotinger Malware

How To Stop DDoS Attacks | TNTBotinger & Cryptojacking Protection

Detecting Cryptojacking

Network Monitoring – Monitor network traffic for suspicious patterns, such as outbound connections to known cryptocurrency mining pools or command-and-control (C2) servers. Configure network intrusion detection and prevention systems (IDS/IPS) to alert on potential cryptojacking activities. Detecting a compromised system connecting to Monero mining pools could indicate the presence of cryptojacking malware.Threat Hunting – Conduct regular threat-hunting exercises to proactively identify subtle signs of compromise or malicious activities related to cryptojacking. Analyze system logs, network traffic, process behaviors, and other telemetry data for indicators of cryptojacking infections. Discovering a suspicious process running from the /tmp directory or unauthorized changes to system binaries could indicate a cryptojacking malware infection.

The Logs summary in AccuKnox displays a complete list of log events that have occurred within the infrastructure during a defined timeline.

Preventing Crypto Jacking with AccuKnox

Not just detection but prevention – 

• KubeArmor developed by AccuKnox supports preemptive mitigation.
• LSM (particularly BPF-LSM) is the primary policy enforcement primitive.

KubeArmor allows controlled access to workloads

1. Process-based network control: Only whitelisted processes are allowed to use network primitives
2. Process Whitelisting
3. Process-based sensitive access control

AccuKnox Enterprise solution identifies the rule sets automatically tailored for workloads. AccuKnox Zero Trust KubeArmor policy provides out-of-the-box prevention for all cryptomining attacks. We also provide specific hardening policies to prevent cryptomining attacks.

Securing Cloud and Container Environments – Implement robust monitoring and security measures for your cloud and container environments, as they provide ample compute resources attractive to cryptojackers. Opt for software composition analysis tools to identify and mitigate supply chain risks from compromised dependencies or containers. For instance, the TeamTNT group targeted misconfigured Kubernetes clusters and cloud services for cryptojacking operations.

AccuKnox allows granular control and the ability to restrict the behavior of containers and nodes (VMs) at the system level. Traditional container security solutions protect containers by determining their inter-container relations (i.e., service flows) at the network level. In contrast, AccuKnox prevents malicious or unknown behaviors in containers by specifying their desired actions (e.g., a specific process should only be allowed to access a sensitive file, process, or network). AccuKnox also allows operators to restrict the behaviors of nodes (VMs) based on node identities.

1. Full lifecycle container security management
2. Combines Static and Run-time Security
3. Automated Continuous compliance & governance against CIS, PCI, NIST, MITRE
4. Detailed Auditing and Container Forensics powered by eBPF

Software Supply Chain Security – Establish secure software supply chain practices, including code analysis, vulnerability scanning, and verification of third-party dependencies. Implement software integrity controls, such as code signing and binary authorization, to prevent tampering and unauthorized code execution. Malicious npm packages like “getcookies” and “ua-parser-js” were found injecting cryptojacking scripts into applications, highlighting the importance of supply chain security.

Account and Credential Management – Configure multi-factor authentication (MFA) for all user accounts, restricting access and implementing least privilege policies. Regularly monitor and audit user accounts and groups, ensuring proper offboarding procedures to revoke access for terminated employees or contractors. Leaked or weak credentials provide attackers with unauthorized access to systems for deploying cryptojacking malware.Web Application Firewall (WAF) Configuration – Configure a Web Application Firewall (WAF) like Google Cloud Armor to mitigate Layer 7 vulnerabilities that could be used for delivering cryptojacking scripts. Address specific vulnerabilities, such as Apache Log4j, by deploying custom WAF rules to block potential exploitation. Compromised websites usually deliver obfuscated cryptojacking scripts to visitors’ browsers, hijacking their CPU resources.

Supply Chain Security Measures – Add continuous integration and delivery (CI/CD) pipelines with Binary Authorization to ensure only signed and verified images are deployed. Shift left on security by performing code analysis, vulnerability scanning, and monitoring the CI/CD pipeline for potential malicious attacks or compromises. Malicious code or dependencies injected into open-source repositories may lead to supply chain attacks, including cryptojacking payloads.

Secrets and Key Management – Rotate encryption keys regularly and avoid downloading or storing secrets on local systems, where they can be exposed to cryptojackers. Use secure solutions like Google Secret Manager or HashiCorp Vault for storing and managing secrets and encryption keys. Implement anomaly detection through monitoring tools and set up alerts for suspicious activities, such as unauthorized access to secrets or key material. Compromised encryption keys or secrets could allow attackers to access sensitive data or resources for cryptojacking operations.

Cryptomining Protection Program – If you are a Google Cloud Security Command Center Premium customer, try joining the Cryptomining Protection Program to offset VM costs related to undetected cryptojacking attacks. The program provides financial compensation for the compute resources consumed by cryptominers. This may encourage customers to proactively detect and mitigate a variety of threats.

Reducing Internet Exposure – Restrict external traffic and avoid assigning external IP addresses to virtual machines (VMs) or containers, where possible. Implement zero trust security principles with BeyondCorp Enterprise to enhance threat and data protection, even for internet-exposed resources. Public-facing servers and services are most targeted by attackers for cryptojacking if not properly secured.

Securing Compute Resources – Implement secure VM images using Shielded VM and trusted image policies to ensure integrity and prevent tampering. Secure SSH access, restrict service accounts, and monitor their usage to prevent unauthorized access and resource abuse. Regularly monitor and patch VMs and containers to prevent vulnerabilities that could be exploited for cryptojacking. Unpatched VMware Horizon servers were targeted by attackers exploiting the Log4Shell vulnerability for cryptojacking, highlighting the importance of timely patching.

Endpoint Protection and Patching – Deploy strong endpoint protection and anti-malware solutions to detect and prevent cryptojacking malware from infecting your systems. Regularly patch and update all software, operating systems, and applications to address known vulnerabilities that could be exploited for cryptojacking attacks. For example, WannaCry ransomware leveraged the EternalBlue vulnerability in unpatched Windows systems, which could also be used for cryptojacking.

Responding to Cryptojacking Incidents

Incident Response Plan – Develop and maintain a comprehensive incident response plan with detailed guidance on identifying, containing, eradicating, and recovering from cryptocurrency mining attacks. Define clear roles, responsibilities, and communication channels for swift and coordinated response efforts. Having a well-defined incident response plan will help to quickly isolate and remediate a cryptojacking incident, minimizing the impact on your systems and operations.

Shutting Down Compromised Resources – Upon detecting a cryptojacking attack, immediately kill any web-delivered scripts or processes associated with the malicious activity. Shut down compromised container instances, virtual machines, or other affected resources to prevent further resource abuse and potential lateral movement. If a server is found running unauthorized cryptocurrency mining software, it should be immediately isolated and taken offline for thorough investigation and remediation.

Permissions and Key Management – Reduce permissions and regenerate API keys, credentials, or certificates that may have been compromised during the cryptojacking attack. Review and revoke any suspicious or unnecessary permissions granted to compromised accounts or services. If an attacker gains access to service accounts with broad permissions, rotating those credentials and limiting their scope can prevent further exploitation.

Conclusion | AccuKnox Zero Trust Protection

Most of the cryptominers deploy binaries in the /tmp/ folder and execute from there. A common way to prevent any current and future crypto mining attacks would be to use KubeArmor Zero Trust policies which essentially limit any unauthorized access by network primitives, process-exec primitives, and file-access primitives by any unknown binaries.  AccuKnox is powered by KubeArmor, a runtime Kubernetes security engine. It uses eBPF and Linux Security Modules(LSM) for fortifying workloads based on Cloud Containers, IoT/Edge, and 5G networks. 

The persistent allure of cryptojacking for cyber attackers lies in its low risk and high rewards. While machine learning (ML) proves valuable for security teams, its effectiveness is heightened when combined with traditional rule-based policies, enabling the detection of patterns and behaviors linked to cryptomining attacks.

KubeArmor is a runtime Kubernetes security engine. It uses eBPF and Linux Security Modules(LSM) for fortifying workloads based on Cloud Containers, IoT/Edge, and 5G networks. With Zero Trust policy enforcements and ready-made templates to plug and play,  you can limit unauthorized access to network, process, and file access primitives from unknown binaries. This proactive approach mitigates the risk of cryptominers deploying malicious binaries within the Kubernetes cluster, even if the specific software or techniques are unknown. KubeArmor can also prevent code execution from the /tmp/ folder, a tactic used by cryptominers like PwnRig. Policies can block the execution of reconnaissance tools like masscan, zgrab2, and nmap and prevent IRC bots like Tsunami, which are often used in cryptojacking campaigns. 

AccuKnox is your all-in-one tool! We specialize in cloud security that secures “Build to Runtime.” AccuKnox is compliant with SOC2, STIG, PCI, HIPAA, CIS, MITRE, NIST, and more: One platform that can do Agentless ASPM and CSPM, CWPP, KSPM, and KIEM. It is an AI-LLM powered durable, reliable, and scalable CNAPP solution.