Hackers have found a new way to abuse cloud computing accounts by spawning virtual machines to join a blockchain-based content delivery. This allows them to potentially bypass limitations put in place by admins to prevent cryptocurrency mining because the focus is not on CPU cycles and RAM but rather on storage space and bandwidth.
Researchers from security firm Sysdig recently investigated an attack campaign that spawned 6,000 micro instances from a compromised AWS account across different regions and deployed the client for a blockchain-based content delivery service and bandwidth marketplace called the Meson Network.
This service allows users to make their extra storage space and bandwidth available to other projects through a decentralized network of nodes in exchange for crypto tokens called MSN. This is Meson’s equivalent of mining in other cryptocurrency projects where users are rewarded tokens for using their computing resources to perform “work” for the network such as validating transactions.
The problem with this shift in monetization techniques is that existing detections for CPU spikes and limits put on the number and type of instances that an account can spawn might not apply to this attack. For example, the account that Sysdig observed being abused on their honeypot network had a limitation to only create micro instances. These are AWS instances with very limited CPU and RAM that wouldn’t be very useful for a traditional cryptominer, but it didn’t discourage the hackers in this case who spawned around 6,000 of them. This would have cost the account owner an estimated $2,000 per day, and even more if the cost of the public IP addresses assigned to those instances is counted.
Attackers use multiple initial access techniques
The attackers compromised Sysdig’s honeypot servers through a known vulnerability in the Laravel PHP framework (CVE-2021-3129) as well as through a WordPress misconfiguration. This shows that these attackers employ multiple techniques to gain initial access on their victims’ servers.
They then used reconnaissance techniques to determine their environment and abused the privileges of the compromised AWS credentials to spawn batches of 500 instances across multiple AWS regions by using a public VM image for Ubuntu 22.04. They did this by leveraging the RunInstances command with a userdata field that contained additional commands to download and execute the meson_cdn binary on start.
The researchers were able to see the files being exchanged between the binary and the CDN and random images and messages received from the network started being stored in the m_cache folder. “Contrary to what we expected, the Meson application used a relatively low percentage of memory and CPU usage compared to traditional cryptojacking incidents,” the researchers said.
Spikes in traffic, storage use, and outbound connections key to detection
The researchers advise organizations to add detections for this new type of attack. For example, spikes in traffic and storage usage could be red flags, as well as a large number of outbound connections. The Cloudtrail logs can also be monitored for RunInstances events and rules can be created to monitor for command execution in the list of AWS regions that are not normally supposed to be used by the account. The Meson Network is a legitimate service, but attackers are always on the lookout for new ways to monetize hacked servers. Last year, researchers from Akamai reported a similar attack they dubbed proxyjacking where hackers added compromised servers to the Peer2Profit and Honeygain commercial proxy networks that offer users money in exchange for bandwidth