Oracle Cloud Infrastructure (OCI) is becoming an increasingly popular cloud platform, and this can attract the attention of cybercriminals looking to exploit any lapses in cyber hygiene within our customers’ tenancies. One threat we have seen a recent increase in is crypto-jacking. Crypto-jacking, as defined by Interpol, is a “type of cybercrime where a criminal secretly uses a victim’s computing power to generate cryptocurrency.”  In OCI, however, that definition is slightly different; it is the secret use of OCI resources in a victim’s OCI tenancy that are used to generate cryptocurrency.

Crypto-jacking attacks target all cloud providers because there are highly performant computing services that can be exploited at scale. By gaining access to a victim’s OCI tenancy’s resources, an attacker can use them to mine cryptocurrencies, resulting in significant financial gain for the attacker at the customer’s expense.  The two attack patterns we see most commonly are creating new compute resources in a customer’s tenancy or utilizing existing compute resources for mining activities.  The first type of attack leverages weak or stolen OCI IAM credentials, while the second compromises the existing instance via either SSH brute force or exploitation of unpatched vulnerabilities.  For the rest of this blog post, we will discuss ways to minimize and detect these attacks in your OCI Tenancy.

Minimize

Multi-factor Authentication

One of the most straightforward ways to defend your OCI IAM tenancy from stolen credentials is by using multi-factor authentication.  Multi-factor authentication (MFA) is a method of authentication that requires the use of more than one factor to verify a user’s identity. With MFA enabled in OCI IAM service, when users sign into Oracle Cloud Infrastructure, they are prompted for their username and password, which is the first factor (something they know). The user is then prompted to provide a second verification code from a registered MFA device, which is the second factor (something that they have). The two factors work together, requiring an extra layer of security to verify the user’s identity and complete the sign-in process. The extra layer of authentication would prevent an attacker who would only have stolen a username and password from being able to create instances in your account.

Infrastructure Controls

OCI computes reside within a Virtual Cloud Network (VCN).  A VCN is a customizable and private cloud network. Like a traditional data center network, the VCN provides customers control over their cloud networking environment. To reduce your exposure to instance compromise, deploy compute instances into private subnets, or if you must deploy them in public subnets, use restrictive Network Security Groups or Security Lists that only allow access from IP ranges and ports required.  To reduce the chance of a vulnerability being used to compromise your instance, you should keep the operating system up to date. To streamline the patching process OCI’s OS Management service allows you to manage and monitor updates and patches for the operating system environments on your Oracle Cloud instances, including instances managed by the OS Management Oracle Autonomous Linux service.

Quotas

Customers can use quotas to reduce financial exposure to this attack by preventing the creation of more compute instances than your limit. Quotas in OCI are used to control resource consumption within a compartment. Compartment quotas are similar to service limits. Both act as an allowance set on a resource preventing the use of more than you allotted. Configuring a tenancy-wide (root compartment) quota will prevent the creation of superfluous compute instances.

Detect

Budgets

In addition to regular logging and monitoring, budgets can monitor spending increases in your account.  Setting a budget at the root compartment with an alert threshold will allow you to track spending in your tenancy and alert you if that threshold is broken.  This type of monitoring of your spending will allow you to detect increases in spending in your account which, if unexpected, may indicate crypto-jacking.

Oracle Cloud Guard

Oracle Cloud Guard detects misconfigured resources, insecure activity across tenants, and malicious threat activities and gives security administrators the visibility to triage and resolve cloud security issues.  As of this blog, there are over 90 detector rules, and many can provide insight to help detect possible vectors of crypto-jacking attacks.  The detector rules related to IAM, Networking, and Compute services are the most relevant for detecting misconfigurations that could expose your resources to crypto-jacking.

 

Finally, if your OCI tenancy has been a victim of crypto-jacking, contact Oracle Support.