As more and more data and applications are moving to the cloud, organizations now face a host of new security threats and challenges. Today, cloud infrastructures appear to be the growing target among threat actors. In the last six months, cryptomining attacks have become the leading attack vector used by threat actors, overtaking even ransomware. Cybercriminals are aggressively targeting organizations using cryptomining malware to develop illegal revenue streams.
42% of organizations hit by cryptomining attacks
Between January and June 2018, the number of organizations impacted by cryptomining malware doubled to 42%, compared to 20.5% in the second half of 2017, according to Check Point’s “Cyber Attack Trends: 2018 Mid-Year Report”. In volumes, it is estimated that cryptomining attacks have “brought” the attackers over $ 2.5 billion already, and the figure is likely to grow exponentially in the future.
Attacks target cloud infrastructure to exploit vast processing resources and, as a result, generate huge profits for those involved. Last year, 51% of global organizations faced cloud-based attacks, giants such as FedEx, Intel and Honda having to cope with this new security challenge.
Cloud – the new Eldorado for cyberpunks
Cloud environment changed the way companies manage, store and share data, applications, and workflows. But besides the immense range of benefits, cloud infrastructure also introduces a new, fertile and appealing environment for hackers to address the vast amounts of processing resources and sensitive data contained. In a new trend, Check Point detected an increasing number of attacks targeting cloud infrastructures.
So far this year, a number of sophisticated techniques and tools exploited against cloud storage services have been seen. Several cloud-based attacks derived from poor security practices, such as the use of weak passwords or credentials left available on public source code repositories. When hackers are targeting cloud infrastructures they’re basically lured by the computational power available and the potential for multiplying profits.
According to Check Point, in the first half of 2018, there were many attacks targeting two of the cloud’s core components – Docker and Kubernetes systems. Two incidents caught the industry’s attention: in the first case, hackers breached Tesla cloud servers and installed malware that mines the cryptocurrency. The incident took place because Tesla engineers forgot to secure the Kubernetes console with an access password. The second incident involved an unsecured FedEx server, which was breached, exposing thousands of customers’ personal information.
Cryptomining attacks are constantly evolving
The top three most common malware variants seen in H1 2018 were all cryptominers.
Evolving from a singular attack on a website, such events have been seen this year spreading through Facebook Messenger, YouTube and Google Play, infecting thousands of websites, personal computers, and servers. In 2018, the cyberpunks have improved their skills, becoming more and more sophisticated and destructive.
With the clear goal of increasing the percentage of infestation and making processing resources more profitable, today’s cryptominers aim for anything that can be perceived as an opportunity for fruition. As a consequence, such attacks targeted SQL databases, industrial systems, a Russian nuclear plant, and even complete cloud infrastructures. Application programming interfaces (APIs), used to manage, interact with and extract useful information from cloud services, have also been targeted. Accessible via the Internet, these interfaces opened a huge window of opportunity for attackers to gain access to cloud applications.
The last few months have shown us that these attackers have upped their game and developed new ways to exploit vulnerabilities and avoid existing traps and security protocols.
Mobile devices with preinstalled malware
With the introduction of new technologies such as powerful smartphones and the expansion of others, such as Office 365, potential victims simultaneously use multiple devices and services that are fully connected. This led to a completely new environment where victims are exposed to multi-vector attacks. During these events, hackers try to obtain sensitive corporate data by finding the poorest link in the system. This is sometimes done with the “help” of a phone infected with malware.
In the first half of this year, however, an interesting trend in mobile devices emerged – pre-installed malware. In some cases, users reported active malware on the newly purchased mobile devices. The illegal software was confirmed in March when specialists discovered a mobile botnet called “RottenSys” that infected nearly five million Android devices. The botnet was preinstalled on millions of new smartphones in the industry (including manufacturers like Huawei, Xiaomi, Vivo, Samsung) and it was disguised as a legitimate application of “Wi-Fi system service”. In another incident, 42 models of low-cost smartphones were sold with the Triada Banking Trojan already pre-installed.
As cloud computing will continue to transform the way companies use, store, and share data, applications, and workloads, threats to this environment will keep on evolving and expanding. Is the industry ready for the new wave of attacks?
