Financially-motivated threat actors opportunistically target publicly exposed and misconfigured or vulnerable cloud resources in order to hijack them for the purpose of conducting cryptomining operations, also known as “cryptojacking”. While often considered less of a threat than other types of activity, cryptojacking can result in significantly increased cloud billing for the targeted organization, especially if the threat actor manages to compromise cloud access keys and abuse them to spin up multiple expensive resources. Moreover, cryptojacking can be considered concrete evidence that an environment is vulnerable to attack, and one can therefore assume that other threat actors with more sinister motivations will soon follow. Cryptomining can be detected and blocked by monitoring DNS requests and commands indicative of cryptomining activity (such as modifying CPU process prioritization), scanning for malware, and monitoring cloud logs for coordinated launches of new resources.
Tags
CloudK8s
ATT&CK Tactic
Impact (TA0040)
Incidents
Kiss-A-Dog campaignScarletEel campaign (Feb ‘23)RBAC BusterMisconfigured firewall to cryptojacking botnetScarletEel campaign (July ‘23)EleKtra-LeakLabrat GitLab campaignAmberSquid campaignDangerDev SES abuse incidentECS Fargate cryptojackingDero cryptojacking targeting K8sDERO cryptojacking campaign (2024)SeleniumGreed: Threat actors exploit exposed Selenium Grid services for Cryptomining
Last edited
Jan 2, 2024 1:03 PM
Status
Featured