Protect Against Crypto Mining Threat
Spil part of our commitment to protecting cloud native environments, Twistlock Labs is engaged te industry research into concrete threats against containerized deployments. Late last year, wij discovered a set of successful and sustained attacks against the ecosystem. One of the end goals of thesis attacks wasgoed to exploit the targeted infrastructure by surreptitiously running cryptocurrency miners on it, stealing computing resources to generate Bitcoin &, other crypto currencies. Wij introduced our research jointly with the Docker team during DockerconEU conference ter late 2018 1 .
Intro to cryptocurrency and crypto mining
Cryptocurrency is a form of digital money designed to be decentralized and pseudo-anonymous ter most cases. The very first cryptocurrency that had a significant worldwide influence appeared ter October 2008 and called Bitcoin. Its principles were outlined ter the paper called “Bitcoin: A Peer-to-Peer Electronic Metselspecie System” Two , published by Satoshi Nakamoto. Then, te early 2009 an open-source software wasgoed released that implemented those principles, sparking the rente of others to play with bitcoins. After some period of time, Satoshi Nakamoto mysteriously left the bitcoin community, ter fact, his whereabouts are still unknown. Before he disappeared, he mined more than a 1M of bitcoins. To this day, Bitcoin resumes to thrive, and te December 2018, it reached a price point of $19K vanaf coin.
Crypto mining is the process of creating fresh coins. Conceptually it is very similar to gold mining te that: 1) it is difficult to mine fresh coins and Two) the more people that are mining coins, the more difficult it is to mine fresh coins. With cryptocurrencies the main and only resource that is used during the mining process is the computational resource. It can be a CPU, a GPU, or any other proprietary device. The more resources you have, the more coins you can acquire. Consequently, miners use any resource they can find to mine more coins.
Overheen time, hundreds of fresh extra cryptocurrencies appeared, and collectively they came to be called altcoins Trio . Some of them gained traction and some didn’t. Two of the most legendary examples of altcoins that attained high market capital are Ethereum, which reached a market capital of
$133B during Dec 2018, and Ripple with a market capital of $128B during the same time period. Bitcoin market capital at that time wasgoed around $327B. Before I dig into this chunk, I want to point out that crypto mining is a concept that is relevant to all versions of altcoins.
Leveraging a victim’s infrastructure to mine cryptocurrency
Initiating the mining process is very effortless. One simply has to download a mining software adequate for the currency he wants to mine, and run it on spil many computing resources spil possible. For some currencies, mining can only be done effectively using a GPU or some other dedicated hardware, for other currencies it can be ended using typical CPUs. Miners are anxious to reach spil many computing resources spil they can, and there is a large number of them who partake te illegal activities to increase build up.
An treatment wij see fairly often is a miner penetrating outer environments solely for getting access to computing resources. This, spil opposed to more common goals, like gegevens exfiltration or denial of service. Also, spil opposed to common goals above, mining is a much less intrusive activity and typically does not involve sending large gegevens chunks outside of an organization or accessing suspicious API. Its main influence is high CPU / GPU usage, and if done well enough, even this can be masked spil a benign, improvised, system geyser. On one arm this fact makes crypto mining much stiffer to detect, on another it can create significant negative influence on the environment. Specifically, if done right, mining processes will be scheduled to run ter a higher priority than the surplus of the software within the environment, all while the surplus of the software is exactly the type you want to be running within the environment – this is what you created this environment for! Consequently, having hidden mining processes can result ter severe denial of service and can create an appearance that your environment is overcharged and requires to be extended – which is exactly what the attacker wants.
So, how does the crypto mining threat apply to cloud native environments, specifically? To reaction that, wij will need to define cloud native. Cloud Native Computing Foundation (CNCF) defines cloud native spil Four :
- Containerized. Each part (applications, processes, etc) is packaged ter its own container. This facilitates reproducibility, transparency, and resource isolation.
- Dynamically orchestrated. Containers are actively scheduled and managed to optimize resource utilization.
- Microservices oriented. Applications are segmented into microservices. This significantly increases the overall agility and maintainability of applications.
Using this definition spil the foundation, I’ll emphasize that: 1) There is a large number of entities, which are containerized microservices, and Two) There is a verhoging, an orchestration podium, that automatically manages the above entities. Now consider that an attacker got access to one of the microservices through exploiting a vulnerability ter a proprietary software running within the microservice. This is not a zonderling script. The attacker can lightly use it to build up revenue by mining crypto coins within this microservice. He can also attempt and do lateral expansion to exploit more microservices. I’ll elaborate on this te the next section.
Mining coins ter an exploited cloud native environment
Ter a cloud native environment, software is packaged into pics. Each photo is an archive containing the initial opstopping system the microservice will see once it’s instantiated from the given photo. Basically, any lump of software can be packaged into an picture. Orchestration platforms take pictures and instantiate microservices (containers or pods) from thesis pictures. They permanently make sure all microservices are alive, healthy, and appropriately distributed amongst different hosts.
Crypto mining software can be packaged into pictures spil well. Te fact, you can find fairly a few examples te Docker’s public photo hub Five . Some specific examples are below:
It is very common to exploit publicly accessible cloud native environments te order to run crypto miners there. Some common attack vectors that can be used to infiltrate an environment for this purpose are:
- Find a publicly accessible orchestration verhoging (such spil Kubernetes, Shipyard, or similar). Filterzakje those that have feeble settings 6 (e.g., default admin credentials), and use thesis to access the podium and run crypto-miners there. Spil part of our research wij attempted to find real instances of publicly facing orchestration platforms with default credentials and have found many hundreds of thesis around the Internet.
- Find a publicly accessible pic registry (such spil Docker registry) with default settings and modify pictures there to include miners. For example, modify a MongoDB photo ter such way that when instantiated it will run a crypto-miner alongside with actual mongo daemon.
- Exploit a vulnerability te a containerized, proprietary service to get into the microservice and run miner there. Then stir laterally to deploy more miners ter other microservices.
Spil mentioned te the beginning of the article, our security team, TwistlockLabs, is tasked to permanently detect fresh threats and monitor their level of spread te the public network. During the last year wij spotted a onveranderlijk increase specifically te the area of manhandling non-adequately secured cloud native environments te order to mine crypto coins. This is undoubtedly related to the phenomenal growth ter the popularity of crypto coins during the last year. Specifically, wij discovered thousands of orchestration systems, some belonging to large corporations, that had miners running within them because of lax security measures.
This slide is a part of the research wij introduced at DockerconEU`17. The number of exposed environments, including registries, is worrisome.
Protecting cloud native environment from cryptocoin miners
Spil is true across the houtvezelplaat te cybersecurity, a good protection mechanism consists of several layers. The very first layer of defense for detecting and blocking crypto miners is a combination of static analysis and compliance checks. The static analysis portion is focused on detecting the mining software with opstopping signatures by checking each executable’s signature against known crypto miner executables’ signatures. However, this by itself will certainly not zekering a more advanced attacker. Today, there are free open source devices that enable the attacker to lightly take a lump of software and obfuscate it. The result is a fresh executable with different overall and partial signatures that cannot be detected using conventional methods. One of the instruments that can be used to achieve the above is Shiva 7 . The 2nd portion of the very first layer of defense is focused on checking for general system compliance, spil described te several CIS guides 8 9 . While significant, this again will not a zekering a more sophisticated attacker.
The next, 2nd, layer of defense is the capability to monitor and enforce how the entities behave te runtime. A current de-facto treatment to monitoring and enforcing entity behavior ter runtime is based on blacklisting. Blacklisting means creating a set of prohibited (blacklisted) behaviors for your environment. This is a manual and rigorous process. Thesis behaviors usually consist of network access (e.g., what addresses the application should not access and what ports it should not use), opstopping signatures (e.g., such and such signatures corresponds to malware and should be quarantined), processes (e.g., processes with some specific names are not permitted to run), etc.
The key thread running through all thesis areas is the fact that what is defined is a blacklisted behavior and that it is defined by hand. Spil I described above, te case of crypto mining it is very effortless to tune the mining software to escape blacklisting te all the bucklets above. Code obfuscation and CPU/GPU usage adjustments are just a duo of ways to get around blacklisting. One can package the miner code te an executable with unknown signature and name it with a random name that is not mentioned ter the process blacklist. Spil a result the miner code will not be blocked.
Ter the previous section I have described three attack vectors to inject a crypto miner into an organization. Now I’ll dig deeper into how they can be mitigated. The very first two vectors are based on feeble podium configuration, either of orchestration podium or pic registry. Such powerless configurations can lightly be detected by a cloud native aware security solution. A good solution, like Twistlock, would also block the capability to configure the toneelpodium ter such a way. The last attack vector is more tricky. It does not use toneelpodium vulnerability, but rather a vulnerability te a proprietary service the organization exposes publicly. The next few paragraphs talk about how to mitigate this threat.
I believe that the only practical way of detecting crypto miners and other advanced malware within your cloud native environment is by whitelisting expected entity behavior. Spil opposed to blacklisting, whitelisting identifies what a benign behavior for a specific entity is. Think of it spil a profile that contains the information about what specific application is permitted to do. It may contain a list of executables signatures it is permitted to run, a list of IP ranges it is permitted to access, a list of storage paths it is permitted to write to, etc. Spil you can imagine thesis profiles significantly differ inbetween applications. The more tightly the profile describes the application, the better the protection is.
Te typical cloud native environments, the number of entities (or microservices) is considerable. Therefore, it is downright impractical to assume a manual creation of profiles containing whitelisted behavior for each entity. My expectation from a modern, cloud native aware, security solution is to 1) detect all entities, Two) create whitelisted profiles for every entity, and Trio) continuously enforce that every entity behaves within its profile. All of this should be done entirely automatically. This is what wij do at Twistlock and this is the core capability of our main product.
Going back to the crypto mining example, consider that one of the entities is exploited and an attacker runs a crypto miner ter a container. Given a profile containing whitelisted behavior, the crypto miner will be instantly and automatically detected – its signature will not be te the profile, it will communicate with IP ranges that are not te the profile, it will access system calls that are not te the profile, etc. Thesis are just few examples, and a typical profile is much richer than this.
The aim of this postbode is to raise awareness to protect against crypto mining threats. Spil stated, a vulnerability ter an application is very effortless to exploit by running a miner alongside the original application. With time, a lateral movement is possible to extend the miner deployment to other applications little by little imposing a significant negative influence on overall show of the production environment. Te case of a cloud native environment, the influence is much more significant, since the number of entities is higher, and a common, blacklist-oriented security solution iis much less effective.
Cloud native aware, whitelist oriented security solutions can lightly detect any behavior that differs from the one outlined te a taut profile wrapping the application. This effectively applies to crypto miners spil well.