Money Doesn t Grow on Trees, but it’s Growing ter the Cloud
RedLock CSI Team
Ten.05.17 Five:59 AM
The RedLock Cloud Security Intelligence (CSI) team had previously reported (refer to Public Cloud Infrastructure Security Trends May 2018 report) that hundreds of Kubernetes administration consoles are accessible overheen the internet without any password protection. For those of you unacquainted with Kubernetes, it is an open-source podium designed by Google to automate deploying, scaling, and operating application containers.
Last month, the RedLock CSI team identified an open Kubernetes administration console belonging to Aviva, a British multinational insurance company headquartered ter London, United Kingdom with 33 million customers across 16 countries. Upon further investigation, the team found that the public cloud computing environment where this example wasgoed hosted, had bot compromised. A malicious actor wasgoed stealing the “free” compute power within this environment to mine Bitcoins.
Unlike physical currency, Bitcoin is entirely virtual and there are three traditional ways for malware to generate Bitcoins for their creators:
- Ongezouten theft of private keys from bitcoin wallets
- Ransomware that encrypts files and requests a Bitcoin payment to restore access
- Parasitic bots that “mine” Bitcoins with stolen processing power.
Te this specific incident, attackers used Aviva’s public cloud infrastructure spil bots to mine Bitcoins and it is significant to understand the motivation here.
Bitcoin mining involves utterly sophisticated and time-consuming mathematical calculations. The cost of compute doesn’t make it economically viable for one to mine bitcoins on their own hardware. However, that equation switches to a more favorable one when the resources being used belong to someone else. Many criminals are taking advantage of poor cloud security practices and configuration mistakes to take overheen cloud instances belonging to large organizations where the increase te spend due to Bitcoin mining will likely go unnoticed. Once they infiltrate the cloud environment, it is a plain matter to spin up a powerful virtual machine to generate Bitcoins while the subscribing organization gets stuck with the bill.
The RedLock CSI team found that Aviva’s Kubernetes administration console wasgoed deployed on a cloud example and accessible without a username or password. The console wasgoed leaking critical infrastructure passwords such spil Amazon Web Services (AWS) access keys and secret tokens. The team then realized that the MySQL12 container wasgoed executing a Bitcoin mining instruction. The attacker had created a randomized email address ([email protected]), which wasgoed difficult to trace back to a specific entity – refer to the screenshot below for details. The RedLock CSI team notified Aviva of the findings, and Aviva’s security team resolved the issues instantly.
It is also very likely that the attacker has automated exploitation of such misconfigured Kubernetes consoles, a quick Google search provides this Reddit postbode. This is indicative of a growing trend where hackers have found a fresh monetary chance based on using resources from unaware organizations to exploit virtual currencies.
Preventing Such Compromises
Large organizations are spending millions of dollars with cloud service providers like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud. With decentralized adoption across organizations, dynamic nature of workloads, and limited monitoring contraptions, it can be utterly challenging to detect such nefarious activities. However, there are a few things that can help organizations detect suspicious activities across fragmented cloud environments:
- Detect Environment: Organizations should deploy devices that can automatically detect workloads, categorize them by roles, and build behavioral models to detect suspicious activities. This could have helped Aviva identify when a MySQL server wasgoed embarked ter their environment.
- Monitor for Suspicious User Behavior: It is not uncommon to find cloud access keys exposed on the internet. Organizations need a way to detect account hijacking and brute force login accounts to cloud environments. This requires an understanding of normal user activities and an automated way to detect anomalous behavior that goes beyond just identifying geo-location or time-based anomalies, but also event-based anomalies. Te this case, it is possible that Aviva’s AWS secret keys that were leaked from the unprotected Kubernetes console were stolen, and subsequently used to deploy the rogue compute environments.
- Monitor Configurations: With developers rapidly pushing configurations and code to production without security reviews, organizations should monitor for misconfigurations. This could have helped Aviva detect that an unprotected Kubernetes console had bot shoved into production.
- Monitor Network Traffic: By monitoring network traffic and correlating it with configuration gegevens spil well spil threat intelligence feeds, Aviva could have detected suspicious network traffic being generated by the rogue compute environments to IP addresses and ports such spil 18.104.22.168:8220
To get other 17 tips to fortify your public cloud computing environment, download the Cloud Security Trends September 2018 report published by the CSI team.