CISO Perspectives: Threat Intel Update on Crypto-Jacking

April 28, 2023 | 3 minute read
Josh Hammer
field Chief Cloud Security Architect
Sean Sweeney
Senior Director, Field CISO & Security Advisor Team
Text Size 100%:

Oracle Cloud Infrastructure (OCI) is becoming an increasingly popular cloud platform, and this can attract the attention of cybercriminals looking to exploit any lapses in cyber hygiene within our customers' tenancies. One threat we have seen a recent increase in is crypto-jacking. Crypto-jacking, as defined by Interpol, is a “type of cybercrime where a criminal secretly uses a victim’s computing power to generate cryptocurrency.”  In OCI, however, that definition is slightly different; it is the secret use of OCI resources in a victim’s OCI tenancy that are used to generate cryptocurrency.

Crypto-jacking attacks target all cloud providers because there are highly performant computing services that can be exploited at scale. By gaining access to a victim's OCI tenancy’s resources, an attacker can use them to mine cryptocurrencies, resulting in significant financial gain for the attacker at the customer's expense.  The two attack patterns we see most commonly are creating new compute resources in a customer’s tenancy or utilizing existing compute resources for mining activities.  The first type of attack leverages weak or stolen OCI IAM credentials, while the second compromises the existing instance via either SSH brute force or exploitation of unpatched vulnerabilities.  For the rest of this blog post, we will discuss ways to minimize and detect these attacks in your OCI Tenancy.

Minimize

Multi-factor Authentication

One of the most straightforward ways to defend your OCI IAM tenancy from stolen credentials is by using multi-factor authentication.  Multi-factor authentication (MFA) is a method of authentication that requires the use of more than one factor to verify a user’s identity. With MFA enabled in OCI IAM service, when users sign into Oracle Cloud Infrastructure, they are prompted for their username and password, which is the first factor (something they know). The user is then prompted to provide a second verification code from a registered MFA device, which is the second factor (something that they have). The two factors work together, requiring an extra layer of security to verify the user’s identity and complete the sign-in process. The extra layer of authentication would prevent an attacker who would only have stolen a username and password from being able to create instances in your account.

Infrastructure Controls

OCI computes reside within a Virtual Cloud Network (VCN).  A VCN is a customizable and private cloud network. Like a traditional data center network, the VCN provides customers control over their cloud networking environment. To reduce your exposure to instance compromise, deploy compute instances into private subnets, or if you must deploy them in public subnets, use restrictive Network Security Groups or Security Lists that only allow access from IP ranges and ports required.  To reduce the chance of a vulnerability being used to compromise your instance, you should keep the operating system up to date. To streamline the patching process OCI’s OS Management service allows you to manage and monitor updates and patches for the operating system environments on your Oracle Cloud instances, including instances managed by the OS Management Oracle Autonomous Linux service.

Quotas

Customers can use quotas to reduce financial exposure to this attack by preventing the creation of more compute instances than your limit. Quotas in OCI are used to control resource consumption within a compartment. Compartment quotas are similar to service limits. Both act as an allowance set on a resource preventing the use of more than you allotted. Configuring a tenancy-wide (root compartment) quota will prevent the creation of superfluous compute instances.

Detect

Budgets

In addition to regular logging and monitoring, budgets can monitor spending increases in your account.  Setting a budget at the root compartment with an alert threshold will allow you to track spending in your tenancy and alert you if that threshold is broken.  This type of monitoring of your spending will allow you to detect increases in spending in your account which, if unexpected, may indicate crypto-jacking.

Oracle Cloud Guard

Oracle Cloud Guard detects misconfigured resources, insecure activity across tenants, and malicious threat activities and gives security administrators the visibility to triage and resolve cloud security issues.  As of this blog, there are over 90 detector rules, and many can provide insight to help detect possible vectors of crypto-jacking attacks.  The detector rules related to IAM, Networking, and Compute services are the most relevant for detecting misconfigurations that could expose your resources to crypto-jacking.

 

Finally, if your OCI tenancy has been a victim of crypto-jacking, contact Oracle Support.

 

Josh Hammer

field Chief Cloud Security Architect

Josh Hammer is a Field Chief Cloud Security Architect with Oracle. In this role, he works with customers to help them build innovative cloud security architectures and strategies that standardize and accelerate the secure adoption of Oracle Cloud Infrastructure (OCI). 

Sean Sweeney

Senior Director, Field CISO & Security Advisor Team

Sean Sweeney leads the Field CISO team for Oracle, North America Cloud and Technology Engineering.  In this role, he is responsible for aligning and mobilizing his team of highly skilled former CISOs, architects, and compliance experts.  He and his team focus on advising customer CISOs on security and compliance issues related to cloud, technical messaging and thought leadership, as well as providing strategic direction on OCI security products, services, and partnerships. 

Sean joined Oracle from Microsoft where he was the Global Chief Security Advisor. Sean is a previous Chief Information Security Officer at the University of Pittsburgh, Chief Technology Officer of a legal technology and eDiscovery firm, Chief Information Officer for a national law firm, and Litigation Support Applications Manager for the U.S. Department of Justice.  Sean is also an Affiliate Practice Scholar in the University of Pittsburgh’s Cyber Institute of Policy, Law, and Security and a graduate of Carnegie Mellon University’s Heinz College CISO Program.


Previous Post

Struggling with Advanced Analytics? Maybe you need a DataOps strategy.

Nick Goddard | 10 min read

Next Post


Delegating subdomains from OCI managed public DNS domains

Radu Nistor | 5 min read