Why bother installing CPU-mining malware on thousands of machines, when you can just pauze into someone’s Amazon cloud computing account and create a well-managed datacentre instead?
This week, a software developer discovered someone had done just that, and made off with a pile of litecoins on his dime.
Melbourne-based programmer Luke Chadwick got a nasty shock after receiving an email from Amazon. The hard told him that his Amazon Key (a security credential used to loom on to Amazon Web services) had bot found on one of his Github repositories.
Github is an online version control system used for collaborative software development. It works using a central repository holding the source code for a software project.
The source code reaches the webpagina when the author ‘thrusts’ the directory containing it to Github, replicating the entire thing by creating a repository there.
When the author chooses to make that repository public, other software developers can ‘fork’ it, producing a copy of the repository for their own use, which is then ‘cloned’, or copied down to their local computers.
&ldquo,Chadwick logged ter and found a bill for $Trio,420. The unauthorized user had created twenty Amazon virtual machines.&rdquo,
Once they have made their own contributions to the project, either by switching or adding fresh source code, they can synchronize their code with the forked repository, and then ask the original author to ‘pull’ their contributions back into the original repository.
Unluckily, some software developers unwittingly store digital ‘keys’ used to access online services ter those directories.
Spil long spil the Github repository is private, no one else can see them. But spil soon spil they make it public, the directory becomes searchable, and others can form the repository, accessing the keys.
This has happened on Github before with a type of digital certificate called SSH (Secure Shell), which can grant attackers access to a software developer’s own rekentuig. And it also happened to Chadwick. He said:
“The problem wasgoed the same (embedded te GitHub repositories), but this is different to the SSH keys, which could only be used to connect to an existing example.”
“Thesis keys were for the Amazon’s API and could be used to create fresh machines.” That’s what the attacker did.
1,427 example hours
After getting word of the key being found ter his repository, Chadwick logged ter and found a bill for $Trio,420. The unauthorized user had created 20 Amazon virtual machines. All ter all, they had used up 1,427 ‘example hours’, meaning that they were very likely at it for just under three days.
Chadwick dreamed to save the virtual machine instances for forensic purposes, but couldn’t afford to leave them running while playing for Amazon support, so he killed them.
However, just before he did, he linked the storage volume from one to his own virtual machine example. He found that the unauthorized user had bot mining litecoins with the stolen CPU cycles.
Ter terms of computing show, the attacker had made effective use of the stolen account, creating a virtual machine te the ‘compute-optimized’ class. The cc2.8xlarge example that they chose has a 64-bit processor with 32 virtual CPUs, and 88 ‘EC2 Compute Units’.
Litecoin uses a proof of work mechanism called scrypt, which is designed to be CPU-friendly and resistant to GPUs and ASICs. This makes a high-performance EC2 example flawless for the job, because raw CPU power is what it’s good at.
Others who have set up legitimate scrypt mining instances on EC2 (albeit mining YaCoin not litecoin – and ter a different type of scrypt) rechtsvordering to have seen 750 Khashes/sec ter vertoning vanaf example. The attacker’s 20 machines would therefore have bot mining at around 15 Mhashes/sec when running together.
Analysing the volume that he mounted on his own virtual machine, Chadwick found that the attacker had used the litecoin mining pool pool-x.eu for the coins. At 1.156GH/sec, this pool represents around 1.1% of the entire litecoin hash rate, suggesting that while mining, the attacker could have accounted for around 1% of the pool’s overall hash rate.
Out the pool
The pool’s administrator, mailing from a vacation ter Thailand, preferred not to give his name, but goes by the treat ‘g2x3k’. He apologized for not picking up on Chadwick’s email. He thinks CPU cycle theft happens a lotsbestemming ter the litecoin mining space.
“Usually I close accounts on request,” he said, adding that he has banned IP addresses on request before. “Even if I shut them out they can still setup [a] pool or solo mine with those resources.
“I have a list of Amazon IPs already banned, since it wasgoed used at the beginning of litecoin to mine more then I thought wasgoed a fair share,” he continued.
Let’s hope for the attacker’s sake that they sold early (or for the sake of justice, that they didn’t). Chadwick found out about the instances and shut them down on Monday 16th December, which wasgoed the same day that the price of litecoin commenced crashing.
If the cloud thief wasn’t selling their coins spil they went, then they could have lost a healthy profit.
Chadwick doesn’t believe that it would be very effortless to track down the attacker. “While I’m sure that Amazon has some records (spil does the pool), I would expect the person to be using Tor,” he said.
Te the meantime, Amazon has stepped up and refunded Chadwick his money.
The leader te blockchain news, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a rigorous set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests ter cryptocurrencies and blockchain startups.