According to Aqua Security report, released this week, attacks on cloud systems have grown by a record 250% over the past year. Interestingly, hackers are breaking into cloud servers mainly to mine cryptocurrencies.
Attacks are carried for mining cryptocurrencies (most often – Monero), and not with the aim of stealing confidential information, creating infrastructure for DDoS attacks, and so on.
The number of attacks per day on these servers increased dramatically in the first half of the year: their average number per day increased from 12 in December 2019 to 43 in June 2020“, — the researchers report.
Experts write that between June 2019 and July 2020, they detected and analyzed 16,371 cloud attacks. This is how many times hackers have tried to break into the company’s decoys, then download and deploy images of malicious containers to them.
Trap servers help to understand hackers’ methods; however Aqua Security states that the results can be “highly biased due to a single initial access point”. This indicates that similar studies analyzing multiple compromised access points or supply chain attacks may come to different conclusions.
While decoys do not accurately simulate real-world attack conditions, they can provide insight into the malware used to compromise cloud servers and the motives behind such attacks.
Almost 95% of the studied attacks were carried out for the purpose of mining cryptocurrencies, and the remaining percent were mainly related to DDoS infrastructures.
The landscape of cloud attacks has changed over the past year, and now organized crime groups are increasingly choosing to invest in infrastructure”, – note Aqua Security experts.
Changes also affected the complexity of attacks: if earlier cybercriminals scanned the Internet for unprotected cloud servers, exploited known vulnerabilities and preferred brute force, now hack groups often organize complex attacks on the supply chain. For example, cybercriminals put malware in regular container images and upload them to public resources.
Such malware only begins to operate after the image is deployed, which means that payload is extremely difficult to detect using static analysis or relying on signature-based security mechanisms”, — say the analysts.
However, not only attacks are becoming more difficult, but also the malware itself, which is used by hackers. The report states that the complexity of the malware is already comparable to that of malware for desktop systems. In particular, experts have already encountered payloads triggered in stages, malware with 64-bit encryption, as well as threats that effectively disabled and eliminated the “products” of competing hack groups.
Recall that some time ago Monero cryptocurrency official website was hacked and distributed malware.
