News Hub

New cryptojacking worm propagating through AWS at speed

Written by Wed 19 Aug 2020

Concerns cryptojacking attacks could be about to surge as security group identifies first AWS-optimised cryptomining worm

Researchers have identified a new worm spreading through Amazon’s cloud that is stealing user credentials and deploying cryptojacking malware to mine Monero cryptocurrency.

According to researchers at Cado Security, the hacking group known as TeamTNT is responsible for the worm.

TeamTNT has a history of attacking Docker and Kubernetes systems and the group’s latest worm also uses infiltrated instances to scan the internet for misconfigured Docker systems for later attacks.

Cloud cryptojacking

Cryptojacking is a form of cyberattack that hijacks computing resources to mine cryptocurrency on the hacker’s behalf.

When the practice first emerged hackers focused their attention on computers or mobiles, but now cloud-based cryptojacking is on the rise as hackers pursue organisations that are migrating resources cloud-wards.

Compared to laptops or smartphones, infrastructure-as-a-service (IaaS) platforms offer virtually infinite resources and hackers can largely go about their business undetected.

In 2018, Elon Musk’s Tesla fell victim to a sophisticated cloudjacking attack where the hackers hid their identities behind a content delivery network and throttled the mining software to avoid raising suspicion.

With increased adoption of container environments, attackers are also stepping up their search for vulnerable Docker and Kubernetes systems to infiltrate with cryptojacking malware.

In April, Aqua Security identified a new malware called Kinsing which scans the internet for unprotected Docker instances to launch cryptocurrency mining campaigns.

At the time, the company’s researchers warned Kinsing represented a new level of cryptojacking sophistication as the malware could easily turn clusters of containers into cryptojacking farms.

Cado Security identified parts of the Kinsing code in TeamTNT’s latest worm. Most crypto-mining worms are an amalgamation of previous worms as authors copy and paste their competitors’ code, the researchers explained.

But unlike previous exploits, TeamTNT’s malware is optimised for AWS. Cado Security said it was the first time it had seen such AWS specific functionality and warned it wouldn’t be long before subsequent worms leveraged the same features to target AWS users.

AWS is the world’s most popular cloud and accounts for 32 percent of the global cloud market, according to Canalys.

Cado Security suggested the following protective measures:

  • Identify which systems are storing AWS credential files and delete them if they aren’t needed. It’s common to find development credentials have accidentally been left on production systems.
  • Use firewall rules to limit any access to Docker APIs. We strongly recommend using a whitelisted approach for your firewall ruleset.
  • Review network traffic for any connections to mining pools, or using the Stratum mining protocol.
  • Review any connections sending the AWS Credentials file over HTTP.

Written by Wed 19 Aug 2020


Amazon AWS containers cryptocur malware
Send us a correction Send us a news tip