The RedLock Cloud Security Intelligence (CSI) team had previously reported (refer to Public Cloud Infrastructure Security Trends May 2017 report) that hundreds of Kubernetes administration consoles are accessible over the internet without any password protection. For those of you unfamiliar with Kubernetes, it is an open-source platform designed by Google to automate deploying, scaling, and operating application containers.
Last month, the RedLock CSI team identified an open Kubernetes administration console belonging to Aviva, a British multinational insurance company headquartered in London, United Kingdom with 33 million customers across 16 countries. Upon further investigation, the team found that the public cloud computing environment where this instance was hosted, had been compromised. A malicious actor was stealing the “free" compute power within this environment to mine Bitcoins - otherwise known as illegal cryptomining.
Unlike physical currency, Bitcoin is entirely virtual and there are three traditional ways for malware to generate Bitcoins for their creators:
In this specific incident, attackers used Aviva’s public cloud infrastructure as bots to mine Bitcoins and it is important to understand the motivation here.
Bitcoin mining involves extremely complex and time-consuming mathematical calculations. The cost of compute doesn’t make it economically viable for one to mine bitcoins on their own hardware. However, that equation changes to a more favorable one when the resources being used belong to someone else. Many criminals are taking advantage of poor cloud security practices and configuration mistakes to take over cloud instances belonging to large organizations where the increase in spend due to Bitcoin mining will likely go unnoticed. Once they infiltrate the cloud environment, it is a simple matter to spin up a powerful virtual machine to generate Bitcoins while the subscribing organization gets stuck with the bill.
The RedLock CSI team found that Aviva’s Kubernetes administration console was deployed on a cloud instance and accessible without a username or password. The console was leaking critical infrastructure passwords such as Amazon Web Services (AWS) access keys and secret tokens. The team then realized that the MySQL12 container was executing a Bitcoin mining command. The attacker had created a randomized email address (firstname.lastname@example.org), which was difficult to trace back to a specific entity - refer to the screenshot below for details. The RedLock CSI team notified Aviva of the findings, and Aviva’s security team resolved the issues immediately.
It is also very likely that the attacker has automated exploitation of such misconfigured Kubernetes consoles; a quick Google search provides this Reddit post. This is indicative of a growing trend where hackers have found a new monetary opportunity based on using resources from unsuspecting organizations to exploit virtual currencies.
Large organizations are spending millions of dollars with cloud service providers like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud. With decentralized adoption across organizations, dynamic nature of workloads, and limited monitoring tools, it can be extremely challenging to detect such nefarious activities. However, there are a few things that can help organizations detect suspicious activities across fragmented cloud environments:
To get other 17 tips to fortify your public cloud computing environment, download the Cloud Security Trends September 2017 report published by the CSI team.