Security Experts:

How Hackers Target Cloud Services for Bitcoin Profit

Hacking to Mine Bitcoin

While Bitcoin is growing in popularity, driven partially by frequent shifts in its value, the cyber-currency remains difficult to obtain. Cyber-criminals are increasingly crafting campaigns to steal computing resources to generate more Bitcoin.

Unlike traditional, physical, currency, Bitcoin is entirely virtual and is “mined” by computers performing extremely complex and time-consuming mathematical calculations. Factoring in the cost of powerful hardware required, the electricity and bandwidth consumed, and the time spent waiting, for many people, there are better uses of their money and time.

However, that equation changes to a more favorable one when the resources being used belong to someone else. Some criminals are taking advantage of poor cloud security practices and configuration mistakes to take over user cloud instances on Amazon Web Services and similar cloud infrastructure platforms. Once in, it's a simple matter to spin up a powerful virtual machine to generate Bitcoin while the user is stuck with the bill.

“It is not generally economically viable to mine Bitcoin if the process involves paying for all of the resources required,” said Michael Sutton, vice-president of security research at Zscaler.

Basic Mistakes

Managing credentials such as access codes, passwords, and private keys, has always been a challenge, and even more so when developers are using cloud servers to build and test their applications. Developers may share credentials among the team, or hard-code the keys in the code during development and testing. The plan would be to remove them before going into production.

When it comes to the cloud, simple mistakes get magnified. Forgetting to remove these keys can have disastrous consequences. Rich Mogull, president of analysis firm Securosis, discovered that the hard way recently. 

Mogull had inadvertently exposed the private key for accessing his Amazon Web Services instances on the code repository GitHub. He had included the keys in a secondary testing file and had overlooked it because the line was commented out. Within hours, attackers had found file and launched ten “extra large instances” under his account as part of a Litecoin/Bitcoin mining operation, Mogull wrote in a blog post. These virtual machines had already been running for 72 hours before Mogull discovered them and shut them down.

“Attackers are scraping GitHub for AWS credentials embedded in code (and probably other cloud services)...They then use these to launch extra large instances for Bitcoin mining, and mask the traffic with Tor,” Mogull wrote.

Mogull is not alone in making this mistake. Bishop Fox researchers demonstrated how attackers could use Google code search to find credentials for public cloud services such as Amazon EC3 at Hacker Halted conference in Miami a few years ago.

AWS Mining BitcoinMogull was lucky. Amazon notified Mogull that he'd exposed his AWS private key on GitHub, and that someone may have already stolen the key. “We recently became aware that your AWS Access Key (ending with 3KFA) along with your Secret Key are publicly available on github.com...We also believe that this credential exposure led to unauthorized EC2 instances launched in your account,” Amazon wrote in an email. If Amazon hadn't been monitoring GitHub for private keys, it may have taken Mogull longer to detect the mining operation, and the resulting bill would have been greater than $500. Fortunately, Mogull said that Amazon reached out to him and reversed the charges, without him asking them to do so, or even contacting them at all.

Remote Access Tools

Attackers are always looking for holes in installed applications to exploit. In the case of Pedro Rio, a developer with XEO Framework, attackers took over his virtual private server by exploiting a vulnerability in JBoss's HTTP Invoker. The remote code execution flaw allowed an attacker to overwrite the shell and install a miner application without his being aware of it. He first discovered something was wrong when he received an alert that the CPU usage on the server exceeded 90 percent for more than two hours.

“Anyone from around the world can try to frak you and you must be very careful. I overlooked the deployment of the web console and HTTP Invoker and I paid for that,” Rios wrote.

Keeping Security Top of Mind

Gartner estimates the cloud infrastructure market to be worth $9.2 billion as more companies shift from physical servers to cloud data centers. This means, however, that organizations have to be better about securing their data, applications, as well as access to their servers. Last year, researchers from Rapid7 discovered that many organizations storing data on Amazon Simple Storage Service (S3) were inadvertently exposing them to the public.

While traditional money making schemes such as phishing and adware will remain more lucrative, “we are seeing botnet herders increasingly willing to lend a percentage of their stolen CPU cycles to Bitcoin mining,” Sutton said.

With Bitcoin rising in value, mining attacks will become more commonplace. Organizations using cloud infrastructure should regularly check the management console to see what resources are being used and regularly audit all virtual machines to ensure they haven't been compromised. Amazon offers detailed instructions on how to build applications without exposing private keys in applications, and if it's necessary to do so, how to regularly rotate the keys.

Cyber-criminals know that companies aren't always careful about securing cryptographic keys in the cloud, so that is exactly what they will target. It's important to take control and make sure you know where your keys are and who is using them.

Related: Bitcoin Exchanges Hit By Hackers

Related: Cyber Thieves Blamed for Bitcoin Heist

Related: Mac Malware Targets Bitcoin Wallet Logins

Related: Researchers Uncover Ongoing Bitcoin Theft Campaign

Subscribe to the SecurityWeek Email Briefing
view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.
view counter