Microsoft details cloud cryptojacking as cloud compute resource abuse within compromised tenants, leading to substantial compute fees (over $300,000 observed). The post outlines attacker lifecycle, GPU-focused deployment, and defender strategies using Microsoft Defender for Cloud Apps and other solutions to detect and mitigate these threats. #cryptojacking #cloudcompute #Azure #GPU #mining #nanopool #nicehash #hashvault #zpool #herominers #f2pool #minexmr #moneroocean #minerrocks
Keypoints
- Cloud cryptojacking is cloud compute resource abuse that can incur large, unplanned compute fees for victims (examples exceed $300,000).
- Attackers typically gain access via compromised credentials and may operate from attacker-controlled VMs inside legitimate tenants, often without MFA in use.
- Privilege escalation can elevate access to global administrator accounts to gain control over all resources.
- Defensive evasion includes subscription hijacking to hide activity and complicate incident response and forensics.
- Compute deployment is rapid and patterned, using VM scale sets, Azure ML compute, Azure Batch, and Azure Container Instances, with heavy emphasis on GPU provisioning.
- GPU hardware (NVIDIA T4, V100, A100) is favored for mining, with driver extensions used to mass-provision GPU drivers on compromised VMs.
- Detections and mitigations center on privileged access controls, MFA, risk-based sign-ins, quota monitoring, and monitoring for external Azure IPs; multiple Defender products offer specific mining-related detections.
MITRE Techniques
- [T1078] Valid Accounts – Access via compromised credentials. ‘To perform this attack, the threat actor must have access to credentials that can be used to access the tenant. These credentials need to have the virtual machine contributor role, or provide a path to a user account that does.’
- [T1566] Phishing – Credentials obtained via phishing among methods. ‘Threat actors abusing tenants in this way utilize multiple methods to gain account credentials such as phishing, using leaked credentials, and on-premises device compromise.’
- [T1552] Unsecured Credentials – Use of leaked credentials as a common vector. ‘…using leaked credentials…’ (context of credential access methods)
- [T1548.001] Abuse Elevation Control Mechanism – Privilege escalation to global administrator to control all resources. ‘global administrator accounts might not have access to all subscriptions… elevate access option needs to be elevated for the account to have permissions over all resources.’
- [T1496] Resource Hijacking – Subscription hijacking to hide activity and repurpose resources. ‘Subscription hijacking is an evasion technique that allows the threat actor to hide some of their activities from the tenant administrator and security teams.’
- [T1059.006] Python – Use of Python for operations. ‘One group of activity tracked by Microsoft Threat Intelligence used Python requests and the default user agent (python-requests/2.26.0) for all operations.’
Indicators of Compromise
- [Domain] Mining pools involved in attacks – nanopool.org, nicehash.com, supportxmr.com, hashvault.pro, zpool.ca, herominers.com, f2pool.com, minexmr.com, moneroocean.stream, miner.rocks