Most attacks targeting cloud infrastructure deploy cryptocurrency mining malware rather than execute other forms of cyber attacks, a study by Aqua Security found. The study, which took place between June 2019 and July 2020, analyzed over 16,371 attacks on honeypot servers. The decoys were deployed to study the pattern of cyber-attacks on cloud servers. The researchers noted that these forms of attacks increased by up to 250% from the previous year. This development was because the attack landscape shifted towards organized cybercrime, where criminal gangs invested in more cloud infrastructure, the researchers said.
Cryptocurrency mining cyber attacks most prominent on cloud servers
Aqua’s “2020 Cloud Native Threat Report” noted that hackers attempted to take over cloud servers and deploy malicious containers and server images. Most of the images (95%) were aimed at mining cryptocurrency instead of exfiltrating sensitive data or executing other forms of cyber-attacks. The researchers noted that only 5% of the containers deployed on cloud servers were used in executing DDoS attacks.
Cyber attacks shifted towards organized cybercrime
Aqua Security researchers discovered that the threat landscape shifted towards organized cybercrime rather than individual hackers working alone. This allowed threat actors to invest in more cybercrime infrastructure, leading to increased frequency and sophistication of cyber attacks targeting cloud servers.
Intrusion methods are also diversified because of the collaboration between various threat actors. The report authors speculated that the trend was expected to continue as attackers diversified the attack vectors and objectives.
Some notable exploit methods highlighted by the researchers included the exploitation of unpatched systems, scanning exposed cloud servers or those with open passwords, and brute force attacks. Attacks on misconfigured servers also rose sharply at the beginning of the year.
Cybercrime gangs also conducted supply chain cyber attacks against companies managing cloud computing infrastructure. These forms of cyber attacks allowed them to compromise more accounts for deploying their cryptocurrency mining malware.
The deployment of malware in public registries also became a common method of installing cryptocurrency mining malware. These images remained dormant and activated once the containers were deployed on cloud servers. By doing so, the hackers could distribute their malware to more cloud server instances without necessarily breaching the systems.
Aqua researchers also found that there was an increase in the complexity of cryptocurrency mining malware. The rogue software could perform advanced functions to cement its domination of the cloud servers.
For example, attackers deployed multi-stage payloads and applied 64-bit encoding to avoid detection. The attackers also disabled rivals’ cryptocurrency mining malware to maintain exclusive control of the hijacked cloud servers. Kicking rivals off the server freed them from the need to compete for resources on the compromised cloud servers.
Aqua’s report also found that profit-making was the primary motivation of the threat actors. This motive influenced their decision to focus on cryptocurrency mining instead of other forms of attacks.
Commenting on the increased frequency of cryptocurrency mining cyber attacks targeted at cloud servers, Javvad Malik, a Security Awareness Advocate at KnowBe4, says:
“There are no digital resources that criminals can’t find a way to take advantage of. Whether that be an account credential, an unsecured cloud server, or an unclaimed domain name. All of these can be directly or indirectly exploited to launch attacks or make money. It’s why organizations should not only focus on the impact of threats but the root causes and finding ways to close those avenues. This translates to having a culture of security in which all aspects of security, from design, implementation, to assurance is considered to ensure that an organizations’ digital assets are a less attractive target for criminals.”