Cloud environments are susceptible to a wide variety of cyberattacks, making them difficult to secure. Some cyberattacks are easier to detect than others, so a priority in cloud security is having adequate detection and response systems in place to mitigate them. Unauthorized cryptomining has become a prevalent threat in recent years, especially in cloud environments where it can be harder to detect. That’s because cryptomining often does not look like malicious activity but rather like cloud resources simply running busier processes. This type of attack can quickly drive up computing costs and significantly affect application performance before it’s detected.
Datadog CSM Threats solves these pain points by enabling teams to proactively identify and stop cryptomining activity on cloud workloads. With these capabilities, CSM Threats enables DevOps stakeholders to take ownership of their environment’s security and support the challenging transition to DevSecOps. In addition, dedicated security teams can use Datadog CSM’s advanced detection and protection capabilities to minimize the scope of unauthorized cryptomining attacks and identify their source, down to the affected resources.
In this post, we’ll look at:
- Signs of cryptomining activity on cloud workloads
- How Datadog CSM Threats can identify and instantly stop cryptomining
- Recommendations for preventing future cryptomining attacks
Signs of cryptomining activity
The way in which cryptomining attacks are executed in cloud environments is part of what makes them so challenging to detect. Since cryptomining requires extensive computing resources, threat actors often attempt to avoid detection by distributing cryptomining software across a large number of cloud resources. This enables them to avoid triggering a spike in CPU usage on any one resource, which would draw attention. For example, they may deploy hundreds of containers onto multiple Amazon Elastic Container Service (Amazon ECS) clusters and then run their software on each of the new container instances. As part of their campaign, threat actors may also attempt to further hide any signs of their activity by encrypting outbound connections to mining pools.
While cryptomining attacks are designed to be undetectable, there are a few signs that teams can look for in their cloud workloads, including:
- Consistently high CPU usage for a single resource or group of cloud resources
- CPU overclocking caused by kernel module manipulation
- A gradual decline in service performance
- Sudden, unexplained spikes in cloud computing costs for a service or region that typically has low activity
In addition to the direct signs of cryptomining, there are also signals within a team’s cloud infrastructure that can confirm unauthorized activity. For example, teams can look for a sudden increase in newly deployed clusters on infrequently used cloud regions.
Even if teams know what signs to look for, it can still be difficult to confirm that they are caused by unauthorized cryptomining. Investigating this type of activity requires adequate monitoring across multiple areas of a cloud environment in order to confirm and stop it—from how existing instances are performing over time to how many new instances are spinning up.
Automatically detect and stop unauthorized cryptomining activity
Datadog CSM Threats cuts through the noise that comes with investigating cryptomining activity by identifying and proactively stopping any unauthorized mining processes on cloud workloads. It accomplishes this via the Datadog Agent and built-in Agent rules that monitor for processes that either resolved a DNS name or launched with specific arguments associated with mining—two primary sources of this type of unauthorized activity. These rules also include an out-of-the-box action to automatically kill the malicious process once it’s detected.
When Datadog detects a running cryptomining process, it will generate a signal that includes more information about its source, which resources it’s running on, and more. This information gives developers, SREs, and dedicated security teams the context they need to confirm that the process is no longer running, quarantine affected resources, and promptly fix any vulnerabilities or misconfigurations.
Prevent future cryptomining attacks
Unauthorized cryptomining is typically an indicator of significant security gaps in cloud workloads that need to be addressed. With the ability to identify and stop cryptomining activity within milliseconds, DevOps and security teams can dedicate more of their time to securing vulnerable cloud workloads instead of sifting through resources to find the source of an attack.
Teams can start this process by first patching affected resources—including public-facing ones—with the latest software and security updates. Threat actors often search for outdated, external resources like web or email servers, Internet of Things devices, and storage buckets first because their vulnerabilities offer easy access to cloud environments. Teams can also secure their workloads further by fixing overly permissive access controls, such as IAM roles, and misconfigured resources. For example, they can ensure that their Kubernetes clusters are configured with the appropriate controls based on compliance best practices, which Datadog can help teams track across all their cloud workloads.
Protect cloud resources from unauthorized cryptomining
In this post, we looked at the signs of unauthorized cryptomining on cloud workloads and how Datadog CSM Threats can help DevOps and security teams easily detect and stop this kind of activity. We also looked at recommendations for preventing cryptomining attacks in the future and how Datadog supports these efforts. For more information about Datadog CSM Threats and its capabilities, check out our CSM documentation. Or, you can start putting an end to unauthorized cryptomining activity in your cloud workloads today.
If you don’t already have a Datadog account, you can sign up for a free 14-day trial.
