Cloud Systems Are The New Battleground For Crypto Mining Threat Actors Says Trend Micro

Trend Micro today announced a new report revealing a fierce, hour-by-hour battle for resources among malicious cryptocurrency mining groups.

To read a full copy of the report, A Floating Battleground Navigating the Landscape of Cloud-Based Cryptocurrency Mining, please visit:

Threat actors are increasingly scanning for and exploiting these exposed instances, as well as brute-forcing SecureShell (SSH) credentials, in order to compromise cloud assets for cryptocurrency mining, the report reveals. Targets are often characterized by having outdated cloud software in the cloud environment, poor cloud security hygiene, or inadequate knowledge on how to secure cloud services and thus easily exploited by threat actors to gain access to the systems. 

Cloud computing investments have surged during the pandemic. But the ease with which new assets can be deployed has also left many cloud instances online for longer than needed—unpatched and misconfigured.

On one hand, this extra computing workload threatens to slow key user-facing services for victim organizations, as well as increasing operating costs by up to 600% for every infected system.

Crypto mining can also be a precursor to more serious compromise. Many mature threat actors deploy mining software to generate additional revenue before online buyers purchase access for ransomware, data theft, and more.

The Trend Micro report details the activity of multiple threat actor groups in this space, including:

  • Outlaw, which compromises IoT devices and Linux cloud servers by exploiting known vulnerabilities or performing brute-force SSH attacks.
  • TeamTNT, which exploits vulnerable software to compromise hosts before stealing credentials for other services to help it move around to new hosts and abuse any misconfigured services.
  • Kinsing, which sets up an XMRig kit for mining Monero and kicks any other miners off a victim system.
  • 8220, which has been observed fighting Kinsing over the same resources. They frequently eject each other from a host and then install their own cryptocurrency miners.
  • Kek Security, which has been associated with IoT malware and running botnet services.

To mitigate the threat from cryptocurrency mining attacks in the cloud, Trend Micro recommends organizations to:

  • Ensure systems are up-to-date and running only the required services
  • Deploy firewall, IDS/IPS, and cloud endpoint security to limit and filter network traffic to and from known bad hosts
  • Eliminate configuration errors via Cloud Security Posture Management tools
  • Monitor traffic to and from cloud instances and filter out domains associated with known mining pools
  • Deploy rules that monitor open ports, changes to DNS routing, and utilization of CPU resources from a cost perspective

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: