Aqua Security Finds New Cryptojacking Technique
Aqua Security this week issued an alert about a new type of cryptojacking attack that uses containers to consume network bandwidth rather than CPU resources to mine cryptocurrencies.
Assaf Morag, lead data analyst for Aqua Security, says while the company has found instances of this new attack vector in the wild there have been no reports of this type of attack actually being launched.
However, this attack vector is likely to prove significant because this new approach results in only a moderate increase in CPU utilization. That approach allows cryptominers to stay under the radar of security tools that rely on CPU utilization rates to identify these attacks, notes Morag.
The containers embed a piece of software called packetcrypt that was created to enable a decentralized blockchain platform, dubbed PKT cash, that allows individuals to earn money by sharing their internet bandwidth. Cryptojackers are now using that tool to mine cryptocurrencies by consuming network resources.
While cryptojacking is often viewed as a nuisance crime, it can lead to more lethal attacks being launched later, if not identified early and stopped. It’s not uncommon for purveyors of cryptomining attacks to resell the techniques they employed to compromise an IT environment to other cybercriminals looking to, for example, launch a ransomware attack by embedding more lethal malware in a similar container.
The cost of cryptojacking attacks also tends to increase over time as cryptominers inevitably consume more resources.
In general, cryptojacking attacks are getting more difficult to detect as cybercriminals use a range of evasive techniques to avoid detection. They are also counting on organizations lacking extensive container security capabilities. Many container application environments are maintained by developers that have limited cybersecurity expertise. They often assume that because containers only run for a few seconds that cybercriminals won’t target them. However, the infrastructure used to run containers does present a fertile opportunity for cryptojackers that exploit containers to surreptitiously mine cryptocurrencies.
As more organizations review the security of their software supply chains in the wake of a series of high-profile breaches, it’s likely more cryptojacking attacks will be discovered and blocked. As that starts to occur, however, organizations should assume cybercriminals will not simply go away. Instead, they will simply adjust their tactics.
In the meantime, the appreciation for container security continues to grow. In fact, container adoption is one of the primary reasons more organizations are embracing DevSecOps practices to secure highly dynamic application environments. The challenge, of course, is that it may take months or even years to fully implement those practices and, even then, not every development team is going to have consistently implemented them. As such, it’s critical for IT operations and security teams to make sure security policies are implemented both during that application development process and at runtime. Otherwise, developers will continue to make mistakes that cybercriminals can exploit.
