Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud containers

256 visualizaciones

Publicado el

Rahul Kumar & Rupali Dash

In the current era of blockchain technology, mining crypto currency is one of the biggest hit. The talk covers how the attackers use the insecure containers to mine crypto currency and earn million dollar profits. Cryptojacking activity surged to its peak in December 2017, when more than 8 million cryptojacking events were blocked by many intrusion detection companies. While there have seen a slight fall in activity in 2018, it is still at an elevated level, with total cryptojacking events blocked in July 2018 totalling just less than 5 million.

The talk will cover how the mining activities has been done using browsers as well as cloud containers. We will also discuss how the cloud provides like amazon, azure and go are detecting such kind of activities and how minor misconfigurations leads to million dollar currency mining. The talk will also cover how 3rd party security providers like symantec and z-scalar and other intrusion detection system has configured signatures to block such kind of attacks. As well as from a sec-ops prospective what configuration checks should be done to prevent against such kind of attacks as well as detection of attacks. It will also cover some case studies and attack scenarios of mining Monero and the huge financial losses because of this attacks.

Publicado en: Tecnología
  • Sé el primero en comentar

DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud containers

  1. 1. Singapore | 28 Feb - 01 Mar 2019 Cryptojacking RAHUL KUMAR & RUPALI DASH
  2. 2. Singapore | 28 Feb - 01 Mar 2019 Who are we? Rahul Kumar • Security Engineer, DSRE, Microsoft India R&D • Vulnerability Management & Research • Security Researcher @ DSLabs Trend Micro • Security solution developer Rupali Dash •Pentester at AXL.net •Specialist in Web and Mobile app security •SecOps Consultant
  3. 3. Singapore | 28 Feb - 01 Mar 2019 Why Cryptojacking… why now?
  4. 4. Singapore | 28 Feb - 01 Mar 2019 What we will be talking… • Intro to cryptojacking • Types of cryptojacking • The story time • Cloud misconfigurations leading to cryptojacking • Detection/Evasion techniques • Mitigation • Security Solutions
  5. 5. Singapore | 28 Feb - 01 Mar 2019 Cryptomining Vs Cryptojacking •
  6. 6. Singapore | 28 Feb - 01 Mar 2019 Types of cryptojacking • Browser based mining • Server based mining • Containerized mining • Microsecvice oriented mining
  7. 7. Singapore | 28 Feb - 01 Mar 2019 The Story time The attack flow • Infection • Bootstrapping • Mining • Discovery • Spreading the infection
  8. 8. Singapore | 28 Feb - 01 Mar 2019 Infection • By Default docker enables unix socket . • Docker used port 2375/2376 over TCP for remote access to docker services. • The infection spreads across hosts using misconfigured or loosely configured docker services that exposes its REST management APIs through open and unauthenticated TCP ports .
  9. 9. Singapore | 28 Feb - 01 Mar 2019 Bootstrapping & mining
  10. 10. Singapore | 28 Feb - 01 Mar 2019 Discovery and spreading the infection
  11. 11. Singapore | 28 Feb - 01 Mar 2019 Last but not the least . . .
  12. 12. Singapore | 28 Feb - 01 Mar 2019 Cloud misconfigurations leading to cryptomining • Open kubernetes console or Docker registries (Docker Hub) • Attackers can find open dockers registries and registries with default creds • They can build docker image with malicious code • And push that malicious image to registry
  13. 13. Singapore | 28 Feb - 01 Mar 2019 Cloud misconfigurations leading to cryptomining • Use of Un-patched components • The attacker can scan for unmatched components/services . • They can use exploits to gain privilege and inject their mining code • WebLogic RCE: CVE-2017-10271
  14. 14. Singapore | 28 Feb - 01 Mar 2019 Cloud misconfigurations leading to cryptomining • Writable AWS S3 bucket
  15. 15. Singapore | 28 Feb - 01 Mar 2019 Cloud misconfigurations leading to cryptomining • Use of malicious 3rd party libraries • Attacker can inject malicious code to 3rd party libraries • Whoever uses this malicious library will get infected • Browsealoud JavaScript library
  16. 16. Singapore | 28 Feb - 01 Mar 2019 Detection Techniques • Signature based (Unique identifier string/Wallet address) • Domain based detection, Blacklisting domains/IP which are hosting cryptomining scripts • Anomalous CPU utilisation • Analysis of DNS client traffic • Monitoring IRC communication • http://cryptoioc.ch/api
  17. 17. Singapore | 28 Feb - 01 Mar 2019 Evasion techniques used by morden crypto-malwares • Use of proxy and URL Randomisation • Use of legitimate code hosting services like Github and PasteBin • Use of obfuscation • Throttling
  18. 18. Singapore | 28 Feb - 01 Mar 2019 Mitigation Techniques • Keep containers patched and updated. Have a continuous patch cycle. • Ensure that the container images are authenticated, signed and drawn from a trusted registry. (Docker Trusted Registry) • Employ encrypted communication protocols when exposing Docker’s daemon to network. Enable TLS by specifying the tlsverify flag and pointing Docker’s tlscacert flag to trusted CA certificate • Properly configure how much resources a container is allowed to use. • Don’t use the default configuration
  19. 19. Singapore | 28 Feb - 01 Mar 2019 Solution providers
  20. 20. Singapore | 28 Feb - 01 Mar 2019 Thank you
  21. 21. Singapore | 28 Feb - 01 Mar 2019 References: • https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-dec-2018.pdf • https://media.kasperskycontenthub.com/wp-content/uploads/sites/58/2018/06/27125925/KSN- report_Ransomware-and-malicious-cryptominers_2016-2018_ENG.pdf • https://www.trendmicro.com/vinfo/us/security/news/security-technology/security-by-design-a-checklist-for- safeguarding-virtual-machines-and-containers • https://docs.docker.com/develop/dev-best-practices/ • https://docs.docker.com/engine/security/https/

×