Trend Micro announced a report revealing a fierce, hour-by-hour battle for resources among malicious cryptocurrency mining groups.
“Just a few hours of compromise could result in profits for the perpetrators. That’s why we’re seeing a continuous fight for cloud CPU resources. It’s akin to a real-life capture-the-flag, with the victim’s cloud infrastructure the battleground,” said Stephen Hilt, Senior Threat Researcher at Trend Micro.
“Threats like this need joined-up, platform-based security to ensure the bad guys have nowhere to hide. The right platform will help teams map their attack surface, assess risk, and apply for the right protection without adding excessive overheads.”
Threat actors are increasingly scanning for and exploiting these exposed instances, as well as brute-forcing SecureShell (SSH) credentials, in order to compromise cloud assets for cryptocurrency mining, the report reveals. Targets are often characterized by having outdated cloud software in the cloud environment, poor cloud security hygiene, or inadequate knowledge on how to secure cloud services and thus easily exploited by threat actors to gain access to the systems.
The vulnerability of the cloud
Cloud computing investments have surged during the pandemic. But the ease with which new assets can be deployed has also left many cloud instances online for longer than needed—unpatched and misconfigured.
On one hand, this extra computing workload threatens to slow key user-facing services for victim organizations, as well as increasing operating costs by up to 600% for every infected system.
Crypto mining can also be a precursor to more serious compromise. Many mature threat actors deploy mining software to generate additional revenue before online buyers purchase access for ransomware, data theft, and more.
The report details the activity of multiple threat actor groups in this space, including:
- Outlaw, which compromises IoT devices and Linux cloud servers by exploiting known vulnerabilities or performing brute-force SSH attacks.
- TeamTNT, which exploits vulnerable software to compromise hosts before stealing credentials for other services to help it move around to new hosts and…