Rahul Kumar & Rupali Dash
In the current era of blockchain technology, mining crypto currency is one of the biggest hit. The talk covers how the attackers use the insecure containers to mine crypto currency and earn million dollar profits. Cryptojacking activity surged to its peak in December 2017, when more than 8 million cryptojacking events were blocked by many intrusion detection companies. While there have seen a slight fall in activity in 2018, it is still at an elevated level, with total cryptojacking events blocked in July 2018 totalling just less than 5 million.
The talk will cover how the mining activities has been done using browsers as well as cloud containers. We will also discuss how the cloud provides like amazon, azure and go are detecting such kind of activities and how minor misconfigurations leads to million dollar currency mining. The talk will also cover how 3rd party security providers like symantec and z-scalar and other intrusion detection system has configured signatures to block such kind of attacks. As well as from a sec-ops prospective what configuration checks should be done to prevent against such kind of attacks as well as detection of attacks. It will also cover some case studies and attack scenarios of mining Monero and the huge financial losses because of this attacks.
How to Troubleshoot Apps for the Modern Connected Worker
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud containers
1. Singapore | 28 Feb - 01 Mar 2019
Cryptojacking
RAHUL KUMAR & RUPALI DASH
2. Singapore | 28 Feb - 01 Mar 2019
Who are we?
Rahul Kumar
• Security Engineer, DSRE, Microsoft
India R&D
• Vulnerability Management &
Research
• Security Researcher @ DSLabs
Trend Micro
• Security solution developer
Rupali Dash
•Pentester at AXL.net
•Specialist in Web and Mobile app
security
•SecOps Consultant
3. Singapore | 28 Feb - 01 Mar 2019
Why Cryptojacking… why now?
4. Singapore | 28 Feb - 01 Mar 2019
What we will be talking…
• Intro to cryptojacking
• Types of cryptojacking
• The story time
• Cloud misconfigurations leading to
cryptojacking
• Detection/Evasion techniques
• Mitigation
• Security Solutions
5. Singapore | 28 Feb - 01 Mar 2019
Cryptomining
Vs
Cryptojacking
•
6. Singapore | 28 Feb - 01 Mar 2019
Types of cryptojacking
• Browser based mining
• Server based mining
• Containerized mining
• Microsecvice oriented mining
7. Singapore | 28 Feb - 01 Mar 2019
The Story time
The attack flow
• Infection
• Bootstrapping
• Mining
• Discovery
• Spreading the infection
8. Singapore | 28 Feb - 01 Mar 2019
Infection
• By Default docker enables unix socket .
• Docker used port 2375/2376 over TCP for remote access to docker services.
• The infection spreads across hosts using misconfigured or loosely configured docker
services that exposes its REST management APIs through open and unauthenticated TCP
ports .
10. Singapore | 28 Feb - 01 Mar 2019
Discovery and spreading the infection
11. Singapore | 28 Feb - 01 Mar 2019
Last but not the least . . .
12. Singapore | 28 Feb - 01 Mar 2019
Cloud misconfigurations leading to cryptomining
• Open kubernetes console or Docker registries
(Docker Hub)
• Attackers can find open dockers registries and
registries with default creds
• They can build docker image with malicious
code
• And push that malicious image to registry
13. Singapore | 28 Feb - 01 Mar 2019
Cloud misconfigurations leading to cryptomining
• Use of Un-patched components
• The attacker can scan for unmatched
components/services .
• They can use exploits to gain privilege and inject
their mining code
• WebLogic RCE: CVE-2017-10271
14. Singapore | 28 Feb - 01 Mar 2019
Cloud misconfigurations leading to cryptomining
• Writable AWS S3 bucket
15. Singapore | 28 Feb - 01 Mar 2019
Cloud misconfigurations leading to cryptomining
• Use of malicious 3rd party libraries
• Attacker can inject malicious code to 3rd
party libraries
• Whoever uses this malicious library will
get infected
• Browsealoud JavaScript library
16. Singapore | 28 Feb - 01 Mar 2019
Detection Techniques
• Signature based (Unique identifier
string/Wallet address)
• Domain based detection, Blacklisting
domains/IP which are hosting
cryptomining scripts
• Anomalous CPU utilisation
• Analysis of DNS client traffic
• Monitoring IRC communication
• http://cryptoioc.ch/api
17. Singapore | 28 Feb - 01 Mar 2019
Evasion techniques used by morden crypto-malwares
• Use of proxy and URL Randomisation
• Use of legitimate code hosting services
like Github and PasteBin
• Use of obfuscation
• Throttling
18. Singapore | 28 Feb - 01 Mar 2019
Mitigation Techniques
• Keep containers patched and updated. Have a continuous patch cycle.
• Ensure that the container images are authenticated, signed and drawn from
a trusted registry. (Docker Trusted Registry)
• Employ encrypted communication protocols when exposing Docker’s
daemon to network. Enable TLS by specifying the tlsverify flag and pointing
Docker’s tlscacert flag to trusted CA certificate
• Properly configure how much resources a container is allowed to use.
• Don’t use the default configuration