The AWS cloud is compromised. It was used to mine bitcoins

in #amazon7 years ago

Last month, the RedLock CSI team identified an open Kubernetes administration console belonging to Aviva, a British multinational insurance company headquartered in London, United Kingdom with 33 million customers across 16 countries. Upon further investigation, the team found that the public cloud computing environment where this instance was hosted, had been compromised. A malicious actor was stealing the “free" compute power within this environment to mine Bitcoins.

Background

Unlike physical currency, Bitcoin is entirely virtual and there are three traditional ways for malware to generate Bitcoins for their creators:

Direct theft of private keys from bitcoin wallets
Ransomware that encrypts files and demands a Bitcoin payment to restore access
Parasitic bots that “mine” Bitcoins with stolen processing power.

In this specific incident, attackers used Aviva’s public cloud infrastructure as bots to mine Bitcoins and it is important to understand the motivation here.

Bitcoin mining involves extremely complex and time-consuming mathematical calculations. The cost of compute doesn’t make it economically viable for one to mine bitcoins on their own hardware. However, that equation changes to a more favorable one when the resources being used belong to someone else. Many criminals are taking advantage of poor cloud security practices and configuration mistakes to take over cloud instances belonging to large organizations where the increase in spend due to Bitcoin mining will likely go unnoticed. Once they infiltrate the cloud environment, it is a simple matter to spin up a powerful virtual machine to generate Bitcoins while the subscribing organization gets stuck with the bill.

Details

The RedLock CSI team found that Aviva’s Kubernetes administration console was deployed on a cloud instance and accessible without a username or password. The console was leaking critical infrastructure passwords such as Amazon Web Services (AWS) access keys and secret tokens. The team then realized that the MySQL12 container was executing a Bitcoin mining command. The attacker had created a randomized email address ([email protected]), which was difficult to trace back to a specific entity - refer to the screenshot below for details. The RedLock CSI team notified Aviva of the findings, and Aviva’s security team resolved the issues immediately.

Aviva Kubernetes Container Used for Bitcoin Mining

It is also very likely that the attacker has automated exploitation of such misconfigured Kubernetes consoles; a quick Google search provides this Reddit post. This is indicative of a growing trend where hackers have found a new monetary opportunity based on using resources from unsuspecting organizations to exploit virtual currencies.

https://blog.redlock.io/kubernetes-cloud-security-breach-bitcoin-mining

#aws #cryptocurrencies #security #bitcoin
7 years ago in #amazon by
$0.00
    1 vote
    Reply 1
    Sort:  
  • Trending
    • [-]
     7 years ago  

    Hi! I am a robot. I just upvoted you! I found similar content that readers might be interested in:
    https://blog.redlock.io/kubernetes-cloud-security-breach-bitcoin-mining

    $0.00
      Reply