The document discusses cryptojacking, detailing its types such as browser-based and server-based mining, and highlights the attack flow including infection and spreading processes. It addresses cloud misconfigurations that facilitate these attacks, along with detection and evasion techniques used by such malware. Finally, it offers mitigation strategies to secure containerized environments and emphasizes the importance of continuously patching and properly configuring resources.

1. Singapore | 28 Feb - 01 Mar 2019
Cryptojacking
RAHUL KUMAR & RUPALI DASH

2. Singapore | 28 Feb - 01 Mar 2019
Who are we?
Rahul Kumar
• Security Engineer, DSRE, Microsoft
India R&D
• Vulnerability Management &
Research
• Security Researcher @ DSLabs
Trend Micro
• Security solution developer
Rupali Dash
•Pentester at AXL.net
•Specialist in Web and Mobile app
security
•SecOps Consultant

3. Singapore | 28 Feb - 01 Mar 2019
Why Cryptojacking… why now?

4. Singapore | 28 Feb - 01 Mar 2019
What we will be talking…
• Intro to cryptojacking
• Types of cryptojacking
• The story time
• Cloud misconfigurations leading to
cryptojacking
• Detection/Evasion techniques
• Mitigation
• Security Solutions

5. Singapore | 28 Feb - 01 Mar 2019
Cryptomining
Vs
Cryptojacking
•

6. Singapore | 28 Feb - 01 Mar 2019
Types of cryptojacking
• Browser based mining
• Server based mining
• Containerized mining
• Microsecvice oriented mining

7. Singapore | 28 Feb - 01 Mar 2019
The Story time
The attack flow
• Infection
• Bootstrapping
• Mining
• Discovery
• Spreading the infection

8. Singapore | 28 Feb - 01 Mar 2019
Infection
• By Default docker enables unix socket .
• Docker used port 2375/2376 over TCP for remote access to docker services.
• The infection spreads across hosts using misconfigured or loosely configured docker
services that exposes its REST management APIs through open and unauthenticated TCP
ports .

9. Singapore | 28 Feb - 01 Mar 2019
Bootstrapping & mining

10. Singapore | 28 Feb - 01 Mar 2019
Discovery and spreading the infection

11. Singapore | 28 Feb - 01 Mar 2019
Last but not the least . . .

12. Singapore | 28 Feb - 01 Mar 2019
Cloud misconfigurations leading to cryptomining
• Open kubernetes console or Docker registries
(Docker Hub)
• Attackers can find open dockers registries and
registries with default creds
• They can build docker image with malicious
code
• And push that malicious image to registry

13. Singapore | 28 Feb - 01 Mar 2019
Cloud misconfigurations leading to cryptomining
• Use of Un-patched components
• The attacker can scan for unmatched
components/services .
• They can use exploits to gain privilege and inject
their mining code
• WebLogic RCE: CVE-2017-10271

14. Singapore | 28 Feb - 01 Mar 2019
Cloud misconfigurations leading to cryptomining
• Writable AWS S3 bucket

15. Singapore | 28 Feb - 01 Mar 2019
Cloud misconfigurations leading to cryptomining
• Use of malicious 3rd party libraries
• Attacker can inject malicious code to 3rd
party libraries
• Whoever uses this malicious library will
get infected
• Browsealoud JavaScript library

16. Singapore | 28 Feb - 01 Mar 2019
Detection Techniques
• Signature based (Unique identifier
string/Wallet address)
• Domain based detection, Blacklisting
domains/IP which are hosting
cryptomining scripts
• Anomalous CPU utilisation
• Analysis of DNS client traffic
• Monitoring IRC communication
• http://cryptoioc.ch/api

17. Singapore | 28 Feb - 01 Mar 2019
Evasion techniques used by morden crypto-malwares
• Use of proxy and URL Randomisation
• Use of legitimate code hosting services
like Github and PasteBin
• Use of obfuscation
• Throttling

18. Singapore | 28 Feb - 01 Mar 2019
Mitigation Techniques
• Keep containers patched and updated. Have a continuous patch cycle.
• Ensure that the container images are authenticated, signed and drawn from
a trusted registry. (Docker Trusted Registry)
• Employ encrypted communication protocols when exposing Docker’s
daemon to network. Enable TLS by specifying the tlsverify flag and pointing
Docker’s tlscacert flag to trusted CA certificate
• Properly configure how much resources a container is allowed to use.
• Don’t use the default configuration

19. Singapore | 28 Feb - 01 Mar 2019
Solution providers

20. Singapore | 28 Feb - 01 Mar 2019
Thank you

21. Singapore | 28 Feb - 01 Mar 2019
References:
• https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-dec-2018.pdf
• https://media.kasperskycontenthub.com/wp-content/uploads/sites/58/2018/06/27125925/KSN-
report_Ransomware-and-malicious-cryptominers_2016-2018_ENG.pdf
• https://www.trendmicro.com/vinfo/us/security/news/security-technology/security-by-design-a-checklist-for-
safeguarding-virtual-machines-and-containers
• https://docs.docker.com/develop/dev-best-practices/
• https://docs.docker.com/engine/security/https/