Crypto-hackers need to play ‘capture the flag in the cloud’ to exploit victims’ servers

Illegal cryptocurrency mining rigs that hack servers for profit are having to fight each other for limited resources within the hijacked cloud space. So, in addition to staying ahead of the hacked system’s security, there is a silent battle behind the scenes between potential profiteers.

And while it might seem like a lot of fun to watch cryptominers pathetically fighting over server scraps, this is fierce competition, which encourages a certain level of innovation from the parties involved. Their internal struggle only makes them stronger, faster and more agile.

The use of malware for profit in the cryptocurrency space has been on the rise in recent years, with security reports in 2018 with a 4,000% increase, and it has only become more prevalent over the years. After all, why use your own resources when you can invade someone else’s?

How Trend Micro reportsMore and more of these illicit cryptocurrency mining rigs are turning to cloud-based servers to maximize profit on wider and more powerful hardware arrays, but it’s not always as simple as yelling “I’m in” and watching the zeros roll in.

Recent Trend Micro research paper (PDF notice) goes into more detail, but the crux (described in a blog post) is as follows: “The battle to take over and maintain control over a victim’s servers is a major driving force for the evolution of these groups’ tools and techniques, leading them to constantly improve their ability to remove competitors from compromised systems and , at the same time, resist their own removal.”

Competing groups will use elimination scripts to eliminate rivals, ‘obfuscate’ code to make it more difficult to understand, and increase persistence mechanisms such as continuous password updates to keep competition at bay. All the while, repelling the backlash of the hacked system’s security protocols.

It seems illegal cryptocurrency miners have forgotten the fifth rule of fight club: one fight at a time, folks.

With competition so fierce, groups are continually producing “new exploits that allow them to attack systems their competitors cannot, while constantly improving their ability to resist being excluded by competitors.”

The report cites a rivalry between Kinsing and 8220, two groups targeting WebLogic vulnerabilities, which are constantly found fighting each other within the infected system, “sometimes even several times a day”.

Trend Micro is calling this “a kind of cloud capture of the flag”.

This kind of hacking commotion will only become more rampant as we move towards a more cloud-based future. And this almost parodic dance that illegal cryptocurrency miners have found themselves in – having to act as both attacker and defender – will only serve to improve their tactics.

Leave a Comment