Why bother installing CPU-mining malware on thousands of machines, when you can just break into someoneâs Amazon cloud computing account and create a well-managed datacentre instead?
This week, a software developer discovered someone had done just that, and made off with a pile of litecoins on his dime.
Melbourne-based programmer Luke Chadwick got a nasty shock after receiving an email from Amazon. The firm told him that his Amazon Key (a security credential used to log on to Amazon Web services) had been found on one of his Github repositories.
Github is an online version control system used for collaborative software development. It works using a central repository holding the source code for a software project.
The source code reaches the site when the author âpushesâ the directory containing it to Github, replicating the entire thing by creating a repository there.
When the author chooses to make that repository public, other software developers can âforkâ it, producing a copy of the repository for their own use, which is then âclonedâ, or copied down to their local computers.
[post-quote]
Once they have made their own contributions to the project, either by changing or adding new source code, they can synchronize their code with the forked repository, and then ask the original author to âpullâ their contributions back into the original repository.
Unfortunately, some software developers unwittingly store digital âkeysâ used to access online services in those directories.
As long as the Github repository is private, no one else can see them. But as soon as they make it public, the directory becomes searchable, and others can form the repository, accessing the keys.
This has happened on Github before with a type of digital certificate called SSH (Secure Shell), which can grant attackers access to a software developerâs own computer. And it also happened to Chadwick. He said:
âThe problem was the same (embedded in GitHub repositories), but this is different to the SSH keys, which could only be used to connect to an existing instance.â
âThese keys were for the Amazonâs API and could be used to create new machines.â Thatâs what the attacker did.
After getting word of the key being found in his repository, Chadwick logged in and found a bill for $3,420. The unauthorized user had created 20 Amazon virtual machines. All in all, they had used up 1,427 âinstance hoursâ, meaning that they were probably at it for just under three days.
Chadwick wanted to save the virtual machine instances for forensic purposes, but couldnât afford to leave them running while playing for Amazon support, so he killed them.
However, just before he did, he attached the storage volume from one to his own virtual machine instance. He found that the unauthorized user had been mining litecoins with the stolen CPU cycles.
In terms of computing performance, the attacker had made effective use of the stolen account, creating a virtual machine in the âcompute-optimizedâ class. The cc2.8xlarge instance that they chose has a 64-bit processor with 32 virtual CPUs, and 88 âEC2 Compute Unitsâ.
Litecoin uses a proof of work mechanism called scrypt, which is designed to be CPU-friendly and resistant to GPUs and ASICs. This makes a high-performance EC2 instance perfect for the job, because raw CPU power is what itâs good at.
Others who have set up legitimate scrypt mining instances on EC2 (albeit mining YaCoin not litecoin â and in a different type of scrypt)Â claim to have seen 750 Khashes/sec in performance per instance. The attackerâs 20 machines would therefore have been mining at around 15 Mhashes/sec when running together.
Analysing the volume that he mounted on his own virtual machine, Chadwick found that the attacker had used the litecoin mining pool pool-x.eu for the coins. At 1.156GH/sec, this pool represents around 1.1% of the entire litecoin hash rate, suggesting that while mining, the attacker could have accounted for around 1% of the poolâs overall hash rate.
The poolâs administrator, mailing from a vacation in Thailand, preferred not to give his name, but goes by the handle âg2x3kâ. He apologized for not picking up on Chadwickâs email. He thinks CPU cycle theft happens a lot in the litecoin mining space.
âUsually I close accounts on request,â he said, adding that he has banned IP addresses on request before. âEven if I shut them out they can still setup [a] pool or solo mine with those resources.
âI have a list of Amazon IPs already banned, since it was used at the beginning of litecoin to mine more then I thought was a fair share,â he continued.
Letâs hope for the attackerâs sake that they sold early (or for the sake of justice, that they didnât). Chadwick found out about the instances and shut them down on Monday 16th December, which was the same day that the price of litecoin started crashing.
If the cloud thief wasnât selling their coins as they went, then they could have lost a healthy profit.
Chadwick doesnât believe that it would be very easy to track down the attacker. âWhile Iâm sure that Amazon has some records (as does the pool), I would expect the person to be using Tor,â he said.
In the meantime, Amazon has stepped up and refunded Chadwick his money.
Padlock image via Shutterstock
