Mitigating a crypto jacking incident on an AWS machine from the earliest stages

Mitigating a crypto jacking incident on an AWS machine from the earliest stages

Ten years ago, cryptocurrencies were an academic concept, largely unknown to the global population. Now, they are considered to be the ‘digital gold’ of our era.

It all began with the appearance of Bitcoin in 2009, which led to the creation of over 4,000 cryptocurrencies in the following decade. While cryptocurrencies have significantly changed the world of finance world, they have attracted many cybercriminals to the industry. Recent statistics attest, incidents of crypto jacking have soared in 2022 and show a 86% increase in 2022 compared to the monthly average in 2021.

Let’s now look at how our client, a logistics operator in Europe, managed to proactively detect and remediate a crypto jacking incident with the help of our Cloud Security team.

Key Challenges

Recently, a crypto mining malware infected an AWS machine of one of our clients. This incident was eating up resources and started to add up to the cloud bill.

We became aware of the issue through Guarduty, an AWS tool which identified the number of the machine and the account that got infected. Before we intervened, the problem had gone unnoticed since nobody had been assigned to the monitoring of this tool.

Our Approach

We started off by applying quick countermeasures, namely immediately blocking all public accesses. That way, we ensured that all the open doors to the crypto-jacked account were closed, automatically removing any actor attempting to perform malicious activities.

After the first wave of panic, we met with the client teams and identified the source of the incident which turned out to be a Kubernetes cluster. We then came up with as many recommendations as possible, coming various sources (development teams, tools, external agencies, etc.) to make sure that a similar incident would not happen again.

From that time until now our teams have been hard at work to enhance the security of the above-mentioned Kubernetes clusters. To do so, we implemented Kubescape, a monitoring tool that identifies all open vulnerabilities and ports that can cause a compromise.

In a second step, we set up a security remediation channel where we applied at a fast pace remediations based on the recommendations from 4 different tools (3 from Amazon, 1 Positive Thinking Company-owned tool).

Thirdly, we structured and applied security governance. Indeed, while the organization had the appropriate tools and human resources, they lacked the delegation processes and stakeholders to receive and monitor the alerts. That’s where our Managed Services offering came in handy.

Benefits

We have applied inbound and outbound rules to stop all external traffic and set up alarms in the even where anyone would try to spin up an external public machine. By setting those triggers, we will be able to easily prevent potential crypto jacking incidents from happening in the future.

Because (or thanks) of this crypto jacking, we have safeguarded our clients’ cyber space on a much larger scope than the one on which the initial problem was located.

While we were initially only involved in the Advise and Build phases of our client’s Cloud initiative, we are now able to have a bird’s eye view on their cloud initiative by handling the Run and Optimize stages as well.

We will move into a Cloud Managed Services engagement model with the client, where the management of the Cloud will be based further on the shared responsibility model of the Cloud Platform. While enforcing certain security policies for compliance and following best-practices, development teams can still have the needed liberties to be able to test, build, deploy and run their applications. As a Cloud Integrator we will help our client to keep an eye on the overall security posture and risks and advice our client to avoid such incidents from happening again, or at least build save segmentation between the different layers of the client’s application and network topology.

Newsletter subscription