Cloud Security Migration Optimization Tips

Cloud Security: What to Do When Bitcoin Miners Hijack Your Cloud Accounts

While most bitcoin mining operations are entirely legitimate, some have taken advantage of misconfigurations in public cloud infrastructure in order to aggregate the computing power needed to generate bitcoin. Complete and granular visibility into your cloud infrastructure is essential for mitigating these types of cloud security risks.

Several years ago, an organization with significant investments in public cloud infrastructure worked with our team to configure a trial account of the CloudHealth platform. In the process, they discovered something interesting—one of the organization’s cloud accounts was responsible for a disproportionate amount of their monthly cloud bill.

What they determined next was ominous—no one at the organization could explain what the account was used for.

At first, this wasn’t too alarming. The public cloud is decentralized by nature. Even for organizations that use cloud service providers’ tools for tracking cloud costs, accurately allocating expenses to the project, team, or user responsible is notoriously difficult. It’s not uncommon for CloudHealth customers to discover that some of their teams are configuring far more resources than they need, if only because they’re not aware of how it may affect the cloud bill at the end of the month.

After a little more digging, however, it became clear that the account in question was not being used by anyone at the organization, nor for any purpose related to the business. As it turned out, the account had been taken over by a third-party bitcoin mining operation.

What is bitcoin mining?

To understand why someone might look to hijack your public cloud accounts to mine bitcoin, it helps to understand how bitcoin mining works. What is commonly referred to as “mining” is functionally an incentive program for verifying the legitimacy of bitcoin transactions. In exchange for verifying these transactions, the person or organization who carried out the process receives net new bitcoin. This is actually the only way that new bitcoin are released to the market. Comparisons have been made to the California gold rush, as this process provides access to new shares of a valuable commodity. Hence the term “mining.”

The process of mining bitcoin requires massive amounts of computing resources. Essentially, the more computing power you have, the more bitcoin you can generate. In an example that underlines how immense these facilities can be, a data center project in Texas designed to generate bitcoin is scoped for 180,000 square feet and 100 acres of property.

While the price has been volatile, the value of bitcoin has reached astronomical highs over the past decade. Those looking to cash in on this market have been drawn to opportunities to generate bitcoin while keeping operating costs at a minimum. For example, a small town in Washington attracted unexpectedly intense competition for real estate several years ago after investors learned that it had access to extremely low-priced hydropower, which would help a bitcoin mining operation maintain higher margins.

How can bitcoin mining affect public cloud security?

Naturally, this market opportunity has led to more nefarious routes to profitability. While most bitcoin mining operations are entirely legitimate, some have taken to seizing control of public cloud infrastructure hosted by third-party organizations and aggregating the computing power to generate bitcoin. In this model, the hackers sell the bitcoin generated on the market and pass all costs of the mining operation on to the organizations that are billed for the infrastructure.

To pull this off successfully, hackers take advantage of one of the most common challenges for organizations in the public cloud—a lack of visibility.

When operating at scale, developers will unwittingly make seemingly minor mistakes in cloud resource configuration that can provide access to their public cloud accounts and data. Without granular visibility into how these resources are configured, security teams often don’t get the opportunity to identify and remediate these mistakes before the services are deployed. Hackers know this and use a number of tools to find and exploit these misconfigurations. In fact, IBM Security’s 2020 Cost of a Data Breach report found that configuration error tied as the most common cause of malicious breaches.

Once they’ve gained access to these accounts, the hackers will deploy the computing resources needed for their bitcoin operation. Without visibility into how specific resources, users, or projects contribute to the total cloud bill, these organizations will struggle to identify when costs are increasing unnecessarily. Some may assume that an increase in costs were justified as part of ongoing development projects, and will continue to pay the bill fully unaware that they’re funding an illegitimate bitcoin mining operation.

This example is just a microcosm of the risks of operating a public cloud environment without establishing full visibility. Hackers have far more extensive motivations for exploiting configuration mistakes than just bitcoin mining. And runaway costs are much more likely to come as a result of the decisions made by development teams using cloud resources.

This is why the first stage in our framework for maturity in cloud management revolves around gaining visibility into costs and usage. Businesses are embracing the cloud to move faster and innovate. Visibility is essential not only for mitigating these types of risks, but for unlocking the value that made the cloud appealing in the first place.

To learn more about how to move forward in your cloud journey, read out whitepaper, Benchmark Your Cloud Maturity: A Framework for Best Practices.