Researchers Detect Ambitious Bitcoin Mining Malware Campaign Targeting 1,000s Daily

Published at: April 6, 2020

Cybersecurity researchers have identified a persistent and ambitious campaign that targets thousands of Docker servers daily with a Bitcoin (BTC) miner.

In a report published on April 3, Aqua Security issued a threat alert over the attack, which has ostensibly “been going on for months, with thousands of attempts taking place nearly on a daily basis.” The researchers warn: 

“These are the highest numbers we’ve seen in some time, far exceeding what we have witnessed to date.”

Such scope and ambition indicate that the illicit Bitcoin mining campaign is unlikely to be “an improvised endeavor,” as the actors behind it must be relying on significant resources and infrastructure.

Kinsing malware attack volumes, Dec. 2019-March 2020. Source: Aqua Security blog

Using its virus analysis tools, Aqua Security has identified the malware as a Golang-based Linux agent, known as Kinsing. The malware propagates by exploiting misconfigurations in Docker API ports. It runs an Ubuntu container, which downloads Kinsing and then attempts to spread the malware to further containers and hosts. 

The campaign’s end-goal — achieved by first exploiting the open port and then carrying through with a series of evasion tactics — is to deploy a crypto miner on the compromised host, the researchers say.

Infographic showing the full flow of a Kinsing attack. Source: Aqua Security blog

Security teams need to up their game, says Aqua

Aqua’s study provides detailed insight into the components of the malware campaign, which stands out as a forceful example of what the firm claims is “the growing threat to cloud native environments.”

Attackers are upping their game to mount ever more sophisticated and ambitious attacks, the researchers note. In response, enterprise security teams need to develop a more robust strategy to mitigate these new risks.

Among their recommendations, Aqua proposes that teams identify all cloud resources and group them in a logical structure, review their authorization and authentication policies, and adjust basic security policies according to a principle of “least privilege.”

Teams should also investigate logs to locate user actions that register as anomalies, as well as implement cloud security tools to strengthen their strategy. 

Growing awareness

Last month, Singapore-based unicorn startup Acronis published the results of its latest cybersecurity survey. It revealed that 86% of IT professionals are concerned about cryptojacking — the industry term for the practice of using a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge.

Tags
Related Posts
BlackBerry Partners With Intel to Launch a Cryptojacking Detection System
Software company and former smartphone manufacturer, BlackBerry, has partnered with Intel to launch a crypto mining and cryptojacking detection system for Intel-based commercial computers. According to the announcement, BlackBerry released “BlackBerry Optics v2.5.1100”, which relies on the BlackBerry Optics Context Analysis Engine, or CAE, to leverage CPU telemetry from Intel Threat Detection Technology to provide enterprises with advanced malware software. This software’s main purpose is to detect cryptojacking attempts. On how the system works, representatives from BlackBerry sent the following comment to Cointelegraph: “BlackBerry and Intel have teamed up to provide a robust defense against cryptojackers in a way unique …
Technology / June 17, 2020
Consumer-Targeted Cryptojacking Is ‘Essentially Extinct’: Research
Illicit crypto mining — or cryptojacking — against consumers “is essentially extinct,” declares a report released by cybersecurity company MalwareBytes on April 23. Per the report, after in-browser mining service CoinHive shut down in early March — when the team claimed that the project had become economically inviable — cryptojacking against consumers has sharply decreased. At the same time, the number of such attacks targeting businesses increased from the last quarter. Furthermore, MalwareBytes also notes that bitcoin (BTC) holders who use Electrum wallets on a Mac have lost over $2.3 million in stolen coins to a Trojanized version of the …
Bitcoin / April 27, 2019
Devs at Blogging Platform Ghost Take Down Crypto-Mining Malware Attack
Developers at blogging platform Ghost have spent the past 24 hours fighting a crypto mining malware attack. Announced in a status update on May 3, the devs revealed that the attack occurred around 1:30 a.m. UTC. Within four hours, they had successfully implemented a fix and now continue to monitor the results. No sensitive user data compromised Yesterday’s incident was reportedly carried out when an attacker targeted Ghost’s “Salt” server backend infrastructure, using an authentication bypass (CVE-2020-11651) and directory traversal (CVE-2020-11652) to gain control of the master server. The Ghost devs have said that no user credit card information has …
Technology / May 4, 2020
Ukrainian Man Faces up to 6 Years in Jail for Cryptojacking on His Own Websites
Ukraine’s Cyber Police have arrested a man who allegedly placed crypto mining malware scripts on his own websites, local law enforcement reported on March 26. The cyber crime unit of the national police of Ukraine arrested a 32-year-old man from the Bukovina region who allegedly placed cryptojacking software on a number of educational websites that he created and administered. The unspecified websites and internet resources had 1.5 million monthly visitors, the police reported. The police also stated that the installed malware on the websites was deploying visitors’ devices’ CPU and GPU power to illegally mine cryptocurrencies. The authority has conducted …
Bitcoin / March 27, 2019
Malwarebytes' Cybercrime Q2 2018 Report: Cryptojacking is Plateauing in Response to Markets
Interest in cryptojacking is potentially waning among cybercriminals in response to lower cryptocurrency market valuations, according to a report from MalwareBytes Labs released July 17. Cryptojacking is the practice of using a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge. The data and analysis laid out in Malwarebytes Labs’ “Cybercrime Tactics and Techniques: Q2 2018” report shows that while cryptojacking remains popular, decreases in detections of the activity across the board suggest that the trend may be beginning to decline: “We are not certain which [cybercrime] threat is going to take over as the top …
Bitcoin / July 18, 2018