Unit 42, the global threat intelligence team at Palo Alto Networks, which conducted and published the research as part of a larger “Cloud Threat Report,” first started tracking cryptojacking in 2018.
The report focuses specifically on the illicit mining of privacy coin monero, given its popularity with hackers, the authors say. The research was conducted from September 2020 through February 2021. “Globally, 23% of organizations with cloud workloads experienced cryptojacking from July through September 2020, compared to only 17% from December 2020 through February 2021, according to our findings,” the report states.
Monero and cryptojacking
According to Unit 42 researcher Nathaniel Quist, cryptojacking is both an issue and appealing to attackers for two reasons. First, the cloud has lots of CPUs and lots of virtual machines, said Quist, which can translate to big mining profits. Second, the cloud is hard to monitor. Quist said miners can run undetected for a long time, and without any detection mechanisms in place, they may run until the user finds an inflated cloud usage bill and realizes that something is wrong.
“There is currently a heightened awareness by cloud security teams towards the significance, impact and risks of cryptomining operations and we believe the initial steps are being taken to better secure cloud environments,” Quist said.
Researchers saw that the lowest number of network connections took place at the highest market price points, which may indicate that mining operators were performing the majority of their mining during bear markets before selling during high price runs.
While XMR is the most popular coin for cloud mining, Unit 42 also looked at the network connections for ether, bitcoin, litecoin and dash. In each case, XMR mining connections significantly outperformed the other mining operations.
While cryptojacking itself was down, that doesn’t mean there wasn’t an increase in other kinds of cybercrime associated with increased demand for cloud computing products. Looking from October 2019 to February 2021, Unit 42’s research indicates that cloud security incidents exploded by 188% in the second quarter of 2020 (April to June) as nationwide lockdowns went into effect.
The team also found that while organizations and businesses were quickly able to move their workflow to the cloud, automated security measures lagged behind. And these kinds of security incidents didn’t discriminate by industry. The retail industry saw incidents increase by 402% while manufacturing and government increased by 230% and 205%, respectively.
It wasn’t just security incidents that increased either, but also the risk to sensitive data. Surprisingly, the Unit 42 research found that 35% of businesses globally let their cloud storage resources be publicly accessible from the internet. Thirty percent of those organizations exposed some form of sensitive data to the internet, making it potentially vulnerable. This data included personally identifiable information, intellectual property and healthcare and financial data.
“This finding was shocking, given that anyone who knows the right URLs can access the data without passwords or other authentication,” the researchers wrote.