Clouds vs cryptominers

It doesn't get the headlines of complete cloud failures, but criminal cryptominers such as TeamTNT quietly steal away your cloud resources every day.

Cryptojackers knew long ago that stealing cloud resources for cryptomining is far more profitable than paying for their own cryptomining rigs. For example, cloud security company Sysdig recently found that TeamTNT, a notorious cryptojacking group, mined over $8,100 worth of cryptocurrency from hijacked cloud infrastructure at a cost to their victims of more than $430,000. TeamTNT made a buck at a cost to their targets of $53.


It gets much worse, according to other analyses. According to the Google Cybersecurity Action Team (GCAT) September 2022 Threat Horizons Report, a staggering 65% of cloud accounts compromised suffered cryptocurrency mining. A single attack can inflict unauthorized compute costs of hundreds of thousands of dollars within mere days.

It won't be getting better. As Sysdig security researcher Nicholas Lang said, "Cryptojacking isn’t likely to go away anytime soon. Even as the crypto markets plummet and coins become less valuable, the attackers have little to no expenses to worry about, so a tiny profit is still all profit. Cryptojacking has the ideal ratio of low effort and low risk to high reward while enabling near-instant monetization of stolen infrastructure upon gaining access."

Lang continued, "So far, cloud providers have been fairly generous in forgiving large bills incurred due to malicious cryptomining. This is unlikely to continue as the popularity of cryptojacking continues to rise. Ultimately, the financial or otherwise damage due to the exploitation of workloads in the cloud is the account holder’s responsibility."

So, what can you do about it? Lots. First, you must implement such security basics as Multi-Factor Authentication (MFA). Web Application Firewalls (WAF), and extended detection and response (XDR) services. For the latter, these include third-party services such as Aqua Cloud Security, Palo Alto Networks Advanced Threat Prevention, Cisco Umbrella, and CrowdStrike Falcon XDR.

Your hypercloud provider also has tools you can use. Prominent examples include AWS Security Hub, Azure Firewall, and Google Security Command Center.

GCP feels secure enough of its cryptojacking protection service to guarantee it with its new Cryptomining Protection Program.. This innovative program aims to mitigate unauthorized Google Cloud compute expenses accrued as a result of undetected cryptomining attacks for Security Command Center Premium customers with a financial guarantee of up to $1 million.

The GCP approach works by engineering its virtual machine malware scanning into the very fabric of the Google Cloud infrastructure. This means it doesn't require software agents, which can potentially hinder performance and enlarge an organization's attack surface. It also boasts the capability to detect compromised identities, a common pathway for attackers to gain unauthorized access to cloud accounts and rapidly disseminate cryptomining malware.

While the other hyper-cloud providers aren't offering such guarantees, they likely will soon will. For example, in December 2022, Azure changed its Acceptable Use Policy (AUP) to prohibit crypto mining without Microsoft's written pre-approval explicitly.

You'd be wise to adopt anti-crypto jacking measures for your cloud use. It doesn't show up as dramatically on the bottom line as a multi-hour or day crash. But, make no mistake, every day cryptojacking software runs without discovery, you’re losing your resources and cash.

Noteworthy Linux and open-source stories: