Making It Rain: Cryptojacking Attacks In The Cloud

see I'm Chris I look at malware that kind of stuff I'm also a developer on threat crowd a threat into a platform and open for exchange is the mic okay isn't it oh thank you oh yeah I could reject my voice everyone's venting Crescent about those actions usually hit me up I'm gonna talk about Crickley jacking mostly with a cloudy kind of angle I'm not sure if everyone knows what crypto Jeff King is I practiced this talk to my girlfriend last night and I know we have a great great great Thursday nights she was laughing every time I said the word click the Jackie so probably should explain it to give me a hand signal

display unless you've got a mentor me so if you made cryptocurrencies things like Bitcoin I was the most famous fun part that key thing about cryptocurrencies is that army have to mine that currency so basically kind of making value yourself using your piece of resources you're solving basically complex equations yeah assets here we are crypto jacking is when you're doing it without someone else mission so rather than paying for own computing power rather than after run your own like Bitcoin mine or the power station somewhere you can pack into a bunch of those computers and you can make quality that way and if anyone has any questions by the way just shout them out or hand uncle throw something

happy that's fine too so yeah obviously cryptocurrencies have a pretty crazy year in terms of pricing a couple years so back in 2017 there's a big Street up where you're seeing like I'm public transport adverts Jeter and bet your pension Bitcoin that kind of thing Lance we know there's a robust about to happen maybe there's some good news there too though because there's a direct correlation between how much malware and to general attacks you targeting the currency and the price of it so when we saw Bitcoin and we narrow in other currencies shooting up in 2017 you see a lot less ransomware targeting people because the attackers are switching out for the miners they're making more long-term gains that

way sound leaving the prices go down you suppose so you know some fun friends don't look very clearly kind of quantifying the potential of damage or how much money people are making the best attempt of scenes by Palo Alto released a blog last year just to explain that to the top that's the Monaro bottom ID and that's how much money that particular attack has made so with Bitcoin there there's a public ledger so you can see how much everyone's personal while ID has so you know some people have millions they're from legitimate mining with Manero if it's more tricky it's an anonymous currency so you can't just go and see someone's wallet and see how much money

they've made there are public mining pools which is where most this mine goes through all their resources to get more kind of stable earning from my name between go there and basically get the same curve either out so Palo Alto they ripped out a bunch of other IDs and malware and this is what they saw bit of caveat here those that top one where they made what at that time 15 million dollars worth of in dollars I looked about and I've let me find one sample for that tip that wall IDs so basically that means there are maybe that was like a legitimate miner sauce a little bit of malware as well or maybe there's a bunch

of mining going on I can't see my telemetry that many infections anyway basically some people making a lot of money that's a Tod on their estimate was that about five percent plus of monaro there's been mined out there although five summers coins have been mined illegal even greater jacking so manera has a marker camp up a bit over a billion pounds so you know at least like 50 million pounds worth probably has been mined it was machines part that mission see ya copper color more interesting crypto jacking stories Norway Singh this is delivered through like an email or a cast down now my stuff is a bit more interesting so the website could coin hive

if you guys are familiar with coin hive but they had quite a nice idea they needed help arms funded favorite websites by letting the mines in manera in your browser so if you went to the Pirate Bay's website it'd be mining in the background white on the website and making them bit of cash but obviously quite quickly back I started using it one the tricks they're doing was they're compromising people's home Wi-Fi routers and they're injecting it so that every single website that person visits has point I've added to it so this is a internet scams and binary addresses that let's show them I can see there are 50,000 compromised roses right now I haven't even told these people yet

but every single website a visit is super slow and they probably wondering why that there you go another very interesting trend we're seeing how important so much is the rise of crypto mining worms so this is one I looked at a while ago with a math minor because it was scanning the entire internet using something called maths can they see break laws and map to find more victims Scout to the network to the way they spreads to other networks has got a bunch of different exploits built in so if you're running oracle weblogic snow the alert logic guys talking about earlier that's a lot of security issues so we'll get in through some of the

exploits there's one in the world right now but alone there isn't detection for yet maternal blue obviously a rather famous exploit fairer window doesn't be secret brute force so if you're running Microsoft sequel as guests as a bunch of passwords if you're running a honeypot you'll be seen this stuff hitting you all the time it sounds spreading around the internet and these guys are making they are reading that money like a few tens of thousands of dollars that make you permission the guy that Cisco identified something behind not bit as a campaign but very closely related one and it looks I was a kid at university outside Shanghai so it's some like underground he's driving a Porsche

around so yeah good money you know I think it also stores it backdoor disable security too so the problem is that once they've infected you someone else can come and take all your business data so they're not just mining malware and you have like a super slow database to your business they turn on your five or they turn off your antivirus they change the missions that we file the destitute so there's a yeah the next people can get at it easier as well so this the first thought like a pretty boring piece of crypto mining Marse taking a look at you can see there it copies itself to the windows folder then runs it from there

I stopped nets are very easy to figure decompile I don't want to guess what's kind of interesting about this piece of map with though see in the code the the TOB of the domain there is KP so this was going off to a monaro pool server at University in Pyongyang North Korean and this is pretty interesting because I'm university known to be linked one paint a couple attacks and also they're investing in trip their mind because if you're in a concert with a lot of sanctions and you need to make some money Krypton is quite attractive after this so the same piece of my life same well iid be using some more real world attacks about that point they're

pointing to some publicly available nevermind servers so I think in this case this is kind of Jeff's piece of software they're probably just playing around with obviously it could be falsified and someone changed the main name that I'm probably someone with a finger it's the kind of thing just because um this has nothing to do with a cloud obviously that it's kind of interesting because who's behind it this is more malware so the same month that one cry here and that was obviously a music quite a bit those were later set attackers quite closely related based on code reuse which that speakers talking about some other stuff too and they started hitting crypto exchanges in South Korea this is

the more they were deploying they were sending across fake C visas deployed this malware impersonates a piece of South Korean forum software and they stole like 20 million bucks from a credulous change and then they've been hitting impossible since then to now it's kind of interesting top closed off so yeah cryptocurrency also useful for many things including illicit transactions it's on to a more kind of a cloudy things this time so when most people talk about something like crypto Jackie in the cloud is poor the most common example so I know a couple of people maybe you do too you've had there a SS accounts from Michael so it's very easy so if you like writing

some code and then you accidentally type the command line your address key sounds quite a lot and you bash history ends up on github if you leave a variable name AWS key in your code because I can get hub what we see what happen pretty quick within a couple of minutes is that you have mouth people in your ad based accounts spending up lots of easy to traffic doing instances to mime Monaro and the way that works is that github has a fantastic search api you can find him pretty easily some people can't even see scanning sets or the repos so it can spin up a bunch of evil many other mining machines yeah still a problem there's some good news

though so AWS versus if it happens to you they were normally waive the fees if you've let them know really quickly they were also try to let you know as well I talked about some malaise a day detect that Amazon's released some code as well on github ironically that you can download and ran to keep checking your public fit bucket and github accounts to make sure we haven't accidentally done this themselves so suddenly aware of all the other problems who happened to a friend of mine is that when they run out of there's a lemonade recipe how many machines you can spin up to spin to mine cryptic currency and they hit that limit they start taking

down new production service because they want the mind more Manero before you can I kick them out of your account so it can be quite obvious when this happens as well so Cuban notes or Cuban Nettie's I never quite sure how to pronounce this one next-gen DevOps infrastructure service orchestration platform for containers so basically run a bunch of things like docker kind of virtual machines if you're not familiar with docker I guess the main point here is if someone compromises the kubernetes clusters then is bad because it's multiple different machines potentially like a lot of con next-gen devops tech but doesn't have all the most authentic ation built-in unless you know yeah she goes round of enabling it same with

things like database you can you can enable authentication but forget to see others 18-thousand openly accessible kubernetes clusters which isn't great but a lot of them like this one here do that authentication enabled however Londo so this is searching again this is this week be if there's 300 different servers that are all compromised and the way we can tell their compromise is because the Kuban Etta's plus they're running a docker container called y1 ee one one five that's container inspector mining see everyone on that search page has a big problem also credit turbine you actually showed there with me they're two people at one this kind of search engine this happened to Tesla as well that was made on the

news last year Tesla had an issue where they hadn't opened kubernetes cluster someone logged in and they just spun once if eclipta mining malware and run all these machines obviously potentially that could they're worse because you know it was a test but had a bunch of customer data in there around where cars were that kind of personal information the report on arm the mr. Tesla compromised call that wasn't that bad though you could see the domains of the attackers were using so they were sending all the mine cryptocurrency and downloading updates for mr. mania X pay x8 x8 up EU so I took a look at that domain and the seriously using a bunch of other attacks so the same people as

well as targeting the human s crosses and done other software to in this case they found a nice one durability I think may develop themselves it's not public available the Wester control panel which is a lot like cPanel have used it before this piece of software way you can like deploy WordPress in certain other things basically again it's kind of a administration tools there are lots of sub machines are guess yeah I'm nothing too injured by the way they're doing it generally when you have a service compromised you'll see what the attacker does is they they kill competing miners because a lot of people are also mining on there too so we can see them running he kill an X Emery

Semmering is very what the mining tools of know they all battle each other continuously they'll do things like install systems so if you ever have a common title in this box with mining malware you're probably finding a cron tap so the set of scheduled tasks you find they download in the rightness JavaScript every day and just continuously updating I also if you do run better control panel there was a while where their source code was compromised and every single installation investor and Benedick's places out there they're using them and password in stone off to this server which isn't great and then with em bokkeum minutes later I'm using that's yeah train wreck earlier security issue

docker yeah just FYI we call an image from docker hub and need to check what's in there so there's a good research most about Trend Micro and they found if you downloaded say Apache and PHP from dr. Hopp Hopp is a place we can download lots of production genes to docker containers doctor often was actually doors home in Aero minor there was consensus running using up your let's call some CPU cycles so yeah anything done about the hub double check what is in there this one still up but actually I need to make a complaint another kind of cloudy next Jenny issue CL eyes open world accessible s3 buckets so there couple of news websites with have an

issue last month where they were loading all of their JavaScript resource and their web pages from an s3 bucket which is fine but they're set up in is well drivable and then what happen because they know I could basically write to those attacker came in and they added some code and what their code was doing was doing in the minor without mining so a bit like coin hive but on their own custom code so if you're running AWS you wanna obviously check missions aren't s3 buckets you hear more around that kind of thing when like someone has their personal data in s3 and they've let a popular publicly but also people couldn't attack through as well so yeah

I think I'm running away at a time so you're very close to the plant organ beer some ideas for detection so Yarra rules if any of you analyze now regularly he's very familiar with this this is basically how you write your own antivirus scanner this is the role that we run to detect XM ring which is the most popular miner out there three is fine to basically look for a file on your system with like the word X mining in there that kind of thing see if fart about on your database server or gonna take a look at it spawned two ways you can detect national mining as well so things like a stratum Network protocol

this is kind of hard Bitcoin works perhaps sends off and receives mining jobs and works out how much money's made that now South very easy that of a network because it's not a message protocol in itself so you can detect it very easily also have example Amazon AWS and my suppose your that's a lot or in how they will detect this too so they see this car traffic coming out of your environment there's often easy for them stack than you because it's happening the clouds can be a bit tricky I'm destiny little learn you'll set it on the command line to sippy CEO might be machines something running the command minor - o or something - oh by the way

stratum in there with um here's a username and password that's something maybe another time it's rate where you have a little bit of program will begin it's almost certainly a piece of mining about malware or someone one of the employees minority Emily and the way that you detect this if you're not really doing this new environment you give it free so in Windows you have system on some of us talked about earlier you just track all the commands that run on Linux we use OS Curie free tool from Facebook you just check all the commands that messed up too similarly if someone's exploiting say your Apache struts box you can obviously right and network rule for that

it's not a sea Ricardo you can look for what's fair and it's like free rulesets and that does work quite well but you also want to Namak lead attack the next export to that you don't know exist yet so you can do that by looking for things like is your Apache Tomcat process suddenly running bash its at running flash - ISO interactively like a reverse shell is suddenly your arm Java process running something dodgy is yeah you get the idea basically you can chain these things together and you can't expose the answer export you can generically detect this bad activity it's pretty easy to do small kind of cloudy things tend to docker you see some parameters they have

been kicked up with the way the XM or again pretty reliable detection we run that that's any false positives yet there's no proactive stuff so mention people creating s3 buckets for the wrong permissions you can alone that kind of thing and watch out for it there's a bunch of what kind of specific things that AWS is your but aren't in the case of their compromised or some zesty to take an over entire a SS account you might get a lot of that saying there's been a lot of ec2 computing instances somebody terminators is it coming off your boxes so they can spend their own you were to get alerts to for things like there's a lot of boxes something

these spawn on a very short amount of time Amazon have their own custom thing where they'll hit you up as well for an Amazon you hear on guard duty you have to pay for that I believe yeah it's got some nice detectives in there too and it kind of goes on top of some of their other API so cloud trail is basically the kind of API login server to AWS it doesn't nice amount of stuff on top of that flash you can write your own rules too if you want a summer stuff too so it's security centered as your they have an alert called Bitcoin tools the victim falls out of a SS once as you'll have

one with life crypto mining and they're pretty obvious what they are but you know get the picture yeah and there's a generic alerts with lots of different things but in network of those two so I mean most of these kind of mining domains are blacklisted LaVon almost built into should gonna let that stop do that's it we didn't have to hold up any signs if there are any questions or any of that means hands of like the devops tough that's what do you mean terms of the cloudy days yeah so some of it is something isn't so the guy at the front was nodding and tell it mean he might know better I do be a lifeguard

you you have to pay for you enable it power trail I think because that Mabel by default think criterion wins yeah you will get email from them lease in a whispering stop see where like if it is clearly Bitcoin mining and they'll based in these notifications you but yeah you don't be getting the full kind of logging you're getting with nothing so you have to turn the stuff on but it was a much checklist but coming to us

Brendan going yeah I agree it's kind of samples he has an add-on I missed - that elastic search for samples by mask a product and now they actually don't charge you actually have security whereas since although last month they did that's James I think marks have have a slightly didn't ask you to they want to have like their own security system whereas Amazon's more like don't enable partners took in a builder for them so there's a bit of balancing out there but yeah if you want to say something say for the video guard GT chicken coop it doesn't end everything and yeah ask that while slice also never bill analysis I think if I understand with guard duty

doesn't run like a host agent and now it's more looking it's often the outside which is why it's easy to deploy but it means unlike a host agent it might miss a bunch of stuff yeah yeah which is tricky to detect from I think but on you know it's easier to deploy it sir and they obviously visual then they have Windows Defender and after a protection start them that's a few different things anything else oh thank you very much [Applause]