In the past few years, the definition of IT infrastructure has changed from self-hosted servers and data centers to cloud computing and virtual machines. The cloud services became popular mainly because of the flexibility in terms of capacity and performance it offers. The cloud services providers like Amazon Web Services, Azure, etc., have the capability to supply virtually unlimited processing power, bandwidth, and storage. These features make it attractive for customers as they can run their applications without worrying about limitations.
While it is advantageous to have a pay-as-you-go cloud subscription to run one’s web applications and other software, it can also turn out to be a pain if the user gets careless. Without proper attention to security and safety of the process, these cloud hosting/storage accounts can be hacked using malware and viruses to not only steal data but run processor intensive tasks at the customer’s expense. Cryptocurrency mining is one such process intensive task for which cloud-based machines are an ideal fit when it comes to the available processing power. But the cost of running such process sometimes costs many times more than the amount of cryptocurrency mined.
However, hackers don’t have to care about it as the original owners of the cloud services account will be footing the bill while all mined cryptocurrencies will go to the respective wallets of cybercriminals. At the same time, the cloud solutions providers have got certain security features in place which prevents or at least detects such threats in most of the cases. In a recent blog post, Microsoft discusses a case involving such malware and the role of Azure Security Center and Threat Intelligence in detecting and assisting in disabling the threat.
According to the blog post, Azure Security Center played a significant role in helping researchers discover a ring of mining activity involving Cryptonight based cryptocurrency. The security software detected one of the accounts being compromised by what appeared to be a patch for pirated software. As the cybersecurity team started monitoring the instance, they discovered that the malicious scripts were connecting to Sharkcoin cryptonet pool. The cryptocurrency mining services were found disguising themselves as legitimate Windows services, hiding in plain sight. The cryptocurrency mining malware was found to be communication with an IP address in Korea, casting speculations about its origin.
In the same blog post, Jessen Kurien from Cloud Security Investigations & Intelligence at Microsoft Azure Security also lists few remediation steps which includes;
resetting passwords, running a ‘Defender’ scan, updating critical and security OS updates to all virtual machines, ensuring all OS configurations are in accordance with recommended settings, conducting regular backups and avoiding usage of cracked/pirated software.
Microsoft also recommends Azure users to configure Azure Security Center to send email notifications so that it can send out updates to the users in case of any suspicious activity.
Ref: Azure Blog | Image: NewsBTC