What is cryptomining?
Malicious cryptomining or cryptocurrency-mining is when cybercriminals exploit unpatched vulnerabilities, weak credentials, or misconfigurations to enter systems and utilize its computer power to generate cryptocurrency.
DevOps and cryptomining
While ransomware seems to be the hot topic, cryptomining is still a cyberattack with dire consequences. Remember Apache Log4j (Log4Shell)—to be honest, who can forget? This critical vulnerability was mostly observed in the wild in cryptomining attacks.
Think of the uptick in cryptomining like the Klondike Gold Rush in the Yukon; as the value in gold increased, so did gold mining and exploration. Similarly, as the value of cryptocurrencies like Bitcoin increase, the more cybercriminals are likely to mine for cryptocurrency.
This article explores the latest report from Trend Micro Research, which investigated the most prominent cryptomining groups to determine the impact on DevOps processes and tools and establish mitigation strategies.
Impacts of cryptomining for DevOps teams
Resource consumption and cost
Cryptominers abuse compute power to mine as much cryptocurrency possible in the shortest amount of time. So naturally, their attacks target cloud services due to its scalability and ability to quickly spin up new instances. What does this mean for DevOps teams? If your environment is set to auto-scale, legitimate projects can be scaled up and cost more, making these attacks difficult to detect until you receive a humongous bill.
CI/CD pipeline abuse
Miners have also turned to abusing CI/CD platforms as they’re often quite powerful and most providers have a free tier. This is the ideal situation, because it doesn’t require the effort or risk of exploiting another company’s cloud deployments. Instead, they simply sign up for the free tier, write script, and push them to public repositories like GitHub where unsuspecting developers leverage. And voila, they’re now in complete control of your CI/CD pipeline.
For example, a cryptominer created a simple repo on GitHub which looked legitimate at first glance. However, in this repo, the user had the definition for five different CI providers, so for every commit received, it launched all of those resources, allowing them to mine cryptocurrency to their heart’s content.
Workflow downtime
One of the tell-tale signs of cryptomining is your systems lagging. For instance, you might notice your hosted CI agent is slower than usual or picking up jobs with more delay. Furthermore, if your services do start lagging, security operations may add extra delays as they investigate the cause. As a developer, you simply don’t have the time for even the smallest interruption. You need to be as agile as possible, deploying new (and secure) projects to market at breakneck speed.
Part of a larger attack
As we mentioned, most organizations are focused on fending off data exfiltration or ransomware attacks, but cryptomining should be approached with the same seriousness. Trend Micro Research compared a successful cryptomining attack to “a canary in a coal mine”, which means it’s an indicator of poor security hygiene that can expose you to wide variety of attacks. This is because cryptomining groups use the same tools, techniques, and tactics to gain access to your systems and services used by other cybercrime groups who sell access or ransomware malware.
Mitigation strategies for cryptomining
So, how can you proactively prevent cryptomining attacks from leeching off your cloud compute services? The good news is, since these groups use the same attack tactics as other cybercriminals, your defense strategy will bolster your security process across your attack surface. This means that you don’t need to look for specific point products that can only defend against cryptomining. Instead, search for a cybersecurity platform vendor that can address cryptocurrency attacks and other critical threats without adding complexity for security teams.
DevOps teams should look for a cybersecurity platform that helps security teams detect and respond to threats as early in the build process as possible without slowing down developers. Consider the following capabilities to help your security and development teams better understand, communicate, and mitigate threats:
- Broad integration with a growing list of ecosystem partners like firewalls, vulnerabilities, management products, Microsoft Active Directory (AD), SIEMs, and SOARs to deliver more analytical data and optimize processes and workflows.
- Continuous attack surface monitoring to effectively address risk, including suspicious user behavior. Leveraging the Zero Trust approach ensures only validated users, devices, and applications are granted accessed and if any suspicious activity is identified, access should be immediately terminated.
- Virtual patching to minimize the chance of vulnerability exploitation in outdated software versions before a vendor patch is released or to help with your current patch management process.
- Extended detection and response (XDR) to collect and correlate deep security data across endpoints, email, network, and cloud for enhanced visibility and faster detection and response.
- Intrusion detection and prevention systems (IDS/IPS) that can limit and filter both ingress and egress network protection for known exploits.
- Customizable rules to monitor resource utilization, track open ports, and check the usage of and changes made to DNS routing.
- Leverage industry standards and frameworks such as MITRE ATT&CK to help defenders identify the most common tactics and techniques (TTPs) observed amongst cloud-based cryptomining groups.
Next steps
For more security insights into the cryptomining landscape, check out our extensive research report and one-page primer.