How to Detect Cryptojacking in a Cloud Environment

The software behind cryptojacking — a type of security breach in which attackers mine cryptocurrency on infrastructure owned by someone else, leading to bloated hosting costs — is designed to be hard to detect in any environment. But in the cloud, cryptojacking detection can be especially difficult, due to the lower level of visibility and control that cloud admins have over their environments.

Related: How Cloud Computing Has Intensified Cybersecurity Challenges

Fortunately, difficult doesn't mean impossible. Keep reading for tips on how to identify cryptojacking attacks in the cloud.

Why Cloud Cryptojacking Is Difficult to Detect

The reason why cloud-based cryptojacking software is harder to detect is simple enough: In the cloud, conventional cryptojacking detection methods don't work as well because businesses that use the cloud don't have as much visibility into or control over their cloud environments.

Related: What Happened in That Cyberattack? With Some Cloud Services, You May Never Know

In an on-premises environment, cryptojacking attacks can be detected in three main ways. One is to scan operating systems to check for processes that appear to be carrying out cryptomining. Good security scanning and monitoring software should be capable of finding at least some cryptojacking software by identifying anomalous features within it.

In other cases — if cryptojacking applications elude security scans — you can often detect the attacks simply by monitoring CPU usage. Since cryptomining consumes very high amounts of CPU, a sudden spike in CPU utilization that can't be explained in other ways (such as increased load on legitimate applications) could reveal cryptojacking. This detection approach may not pinpoint the source of the cryptojacking, but it at least alerts admins to the fact that cryptojacking is likely happening, so that they can research the issue further.

A third way of detecting unauthorized cryptomining is to monitor network connections for signs of unusual requests or protocols known to be associated with cryptomining.

Unfortunately, none of these detection techniques necessarily works well in the cloud. Depending on the type of cloud service you are using, you may not be able to scan your host servers' operating systems or the network at a low level to look for cryptojacking software. You also may not be able to collect enough infrastructure utilization metrics to identify likely cryptojacking attacks.

For example, if you deploy applications in the cloud using serverless functions, you can't scan the host servers, and you are limited in most cases to basic performance and networking metrics that may not be enough to detect anomalies related to cryptojacking attacks. The same is generally true if you run containerized applications using a managed Kubernetes service, where you also have limited access to the underlying host environment.

Ways to Detect Cloud Cryptojacking

That said, there are ways to check for cryptojacking, even in cloud environments where you have less control.

Scan software

You may not be able to scan the servers that host cloud workloads, but you can — and should — scan your applications in most cases. For example, if you deploy containers on a managed Kubernetes platform, you can scan the containers prior to running them. Scanning won't guarantee full protection against cryptojacking, but it will detect most cryptomining software that attackers have embedded into your applications.

Analyze cloud network logs

By default, the networking metrics and other data that you get from most cloud providers are limited. But if you set up special networking infrastructure, such as a virtual private cloud, you can use features like VPC flow logs to gain deeper visibility into what's happening on the network.

From there, you may be able to detect cryptojacking attacks that you'd otherwise miss.

Audit cloud access controls

Monitoring and auditing access configurations in your cloud can help surface cryptojacking attacks, among other security issues. Insecure access control configurations are one path by which attackers can plant cryptomining software inside your cloud. As a result, if you detect insecure permissions settings, you may then be able to audit accounts and resources associated with those permissions in order to locate unauthorized activities, like the deployment of cryptominers.

To be sure, not every insecure cloud access control setting necessarily means you've been compromised by cryptojacking, but auditing access controls is one way of detecting potential cryptomining breaches.

Monitor cloud spending

A crude but effective way of catching some cryptomining attacks in your cloud is to monitor cloud spending. Billing spikes that aren't associated with legitimate changes in your environment might be a sign of cryptojacking.

Again, monitoring spending may not be enough to pinpoint where cryptomining is happening, but it can at least point you in the right direction — especially if you monitor cloud spending granularly, such that you can link spending increases to specific types of cloud resources so that you know which ones have likely been compromised by cryptojacking.

Conclusion

Finding cryptojacking software within your cloud environment is more challenging than detecting cryptomining on-premises. But it's certainly not impossible. When you adopt the right strategies and analyze the right types of data, unauthorized cloud cryptomining operations become easy enough to identify — and, in turn, to shut down in order to avoid the unnecessary spending that results from cryptojacking attacks.

About the author

Christopher Tozzi is a technology analyst with subject matter expertise in cloud computing, application development, open source software, virtualization, containers and more. He also lectures at a major university in the Albany, New York, area. His book, “For Fun and Profit: A History of the Free and Open Source Software Revolution,” was published by MIT Press.