Whether compromising misconfigured cloud infrastructure or taking advantage of free-tier cloud development platforms, attackers see a vast pool of workloads to use for crypto mining.
Threat actors are compromising cloud accounts in order to create distributed workloads for crypto mining — compromising misconfigured and vulnerable cloud instances for executing distributed denial-of-service (DDoS) attacks and abusing trial accounts from DevOps service providers.
A Romanian group, dubbed Outlaw, compromises Internet of Things (IoT) devices and Linux servers and containers by rudimentarily exploiting known vulnerabilities and using stolen or default credentials to mine the Monero digital currency or execute DDoS attacks. A more sophisticated group, TeamTNT, targets vulnerable software services; it ramped up attacks starting last November while claiming it would halt operations. And the Kinsing group harbors an impressive number of cloud exploits and rapidly transitioned to the Log4j exploit in December, according to a report released by Trend Micro on March 29.
The attacks should be a warning sign to companies that their security controls are not working well in the cloud, says Stephen Hilt, a senior threat researcher with Trend Micro.
“The amount of poorly configured cloud instances is high, and these groups are taking advantage of it,” he says. “The systems are unchanged from the attackers, so this doesn’t set off any red flags for things like changing passwords, adding their mining software and scripts, and leaving everything else untouched. If you aren’t paying for the on-demand pricing, it is likely a long time before you notice their activities, specifically the groups that set limits on resources the miners can use.”
Other attackers have found ways to exploit the free tier of continuous integration, continuous deployment (CI/CD) pipeline services — Read more:https://bit.ly/3Dy3nqj