By David Cramer, President of Digital Service Operations (DSO) at BMC
Mining for digital currency can be a profitable business, but it requires a lot of computing power. That’s why criminal hackers have been breaking into corporate networks and hijacking servers to run cryptomining software. Enterprises need to defend themselves against this pernicious new threat, which can inflate computing costs and leave them vulnerable to data breaches.
Security experts say the practice, known as cryptojacking, is one of the fastest growing threats to corporate security. A recent report found a staggering 25 percent of businesses have been targeted by cryptojacking in the cloud. Security firm CrowdStrike said some victims were left “unable to operate for days and weeks at a time.”
Some big names including Tesla and Gemalto have fallen victim.
To generate new units of cryptocurrency, miners need to solve complex mathematical equations. Over the years, the amount of computing power needed to solve these equations has risen dramatically — along with the value of virtual currencies. These factors combined explain why hackers are commandeering corporate servers to run mining programs — it can be a lucrative business, but they need a lot of compute power to do it.
Cryptomining siphons off CPU and GPU cycles, which can hurt application performance and inflate infrastructure costs. For example, the energy needed to mine a single bitcoin requires approximately 215 kilowatt-hours. In Texas, where our corporate headquarters is located, the cost in energy to mine one bitcoin is US$3,681, while in California it costs more than US$6,000.
Cryptojacking also gives hackers a foothold in your network that could be used for other types of attack, including stealing sensitive data.
The Kubernetes Factor
One common vector of attack has been to target insecurely configured Kubernetes clusters. This was the method employed against Tesla, Aviva and Gemalto, and securing these clusters is a good first step to guard against attack.
Why Kubernetes? The container scheduling software has been highly effective for improving developer productivity, but Kubernetes clusters are also complex to manage, and there are still gaps in organizational knowledge about how to secure them. This makes them a good target for criminals.
There are a few basic steps that enterprises can take to secure their Kubernetes clusters to defend against crypto attacks:
Blind spot detection. The first step is to detect all of the Kubernetes clusters that exist in your environment, both in the cloud and on premises. You can’t secure what you don’t know is there, so you need to identify all your Kubernetes clusters using accurate discovery tools.
Harden your Stack. Once you’ve identified your Kubernetes clusters, they need to be properly secured. The container stack includes numerous layers, and each layer needs to be hardened. An issue to watch out for is that many of the Kubernetes installers default to easy-to-use but insecure configurations.
Automate your Kubernetes checks. Modern application environments change frequently. That means it’s important to have some type of policy service to continuously monitor, assess and fix container attacks.
If affected companies like Tesla had followed these steps, they might have prevented the attacks from occurring. But Kubernetes isn’t the only vector that criminal hackers can exploit.
Good Security Hygiene
Security firms have identified other forms of malware that are also used to steal compute cycles, including a sophisticated cryptomining worm dubbed WannaMine that hides behind legitimate system software such as WMI and PowerShell. To defend against these and other forms of attack, enterprises need to follow basic security best practices – and it is shocking how frequently they do not:
Strengthen Access Controls. IT admins should always apply the principle of least privilege for systems and applications; don’t provide access to any user that doesn’t need it. In addition, two-factor authentication services are advisable for all services that are externally accessible.
Tighten device security. Cryptomining malware also targets endpoints such as PCs and smartphones, to harvest cycles from thousands of individual devices. Keeping systems patched and OSes up to date, and installing antivirus software are all good places to start.
Identify Inactive Services. The cloud makes it easy for developers to spin up and take down new applications quickly, but it’s also easy to leave unneeded services running, which then become vehicles for attack. Identify these services and shut them down.
Lockdown websites. In December, a massive spike in brute force attacks on WordPress sites was found to be linked to a crypto-mining attack. Securing your website is vital to protecting not only your organization but your customers.
With the steady rise in value and popularity of cryptocurrencies, we’re likely to see more hackers jumping on the crypto-hacking bandwagon. As yet, the attacks do not seem to have caused any major disruption to public services, but the recent wave of attacks should be a wake-up call for enterprises: ignore this threat at your peril.