Why bother installing CPU-mining malware on thousands of machines, when you can just break into someone’s Amazon cloud computing account and create a well-managed datacentre instead?
This week, a software developer discovered someone had done just that, and made off with a pile of litecoins on his dime.
Melbourne-based programmer Luke Chadwick got a nasty shock after receiving an email from Amazon. The firm told him that his Amazon Key (a security credential used to log on to Amazon Web services) had been found on one of his Github repositories.
Github is an online version control system used for collaborative software development. It works using a central repository holding the source code for a software project.
The source code reaches the site when the author ‘pushes’ the directory containing it to Github, replicating the entire thing by creating a repository there.
When the author chooses to make that repository public, other software developers can ‘fork’ it, producing a copy of the repository for their own use, which is then ‘cloned’, or copied down to their local computers.
Once they have made their own contributions to the project, either by changing or adding new source code, they can synchronize their code with the forked repository, and then ask the original author to ‘pull’ their contributions back into the original repository.
Unfortunately, some software developers unwittingly store digital ‘keys’ used to access online services in those directories.
As long as the Github repository is private, no one else can see them. But as soon as they make it public, the directory becomes searchable, and others can form the repository, accessing the keys.
This has happened on Github before with a type of digital certificate called SSH (Secure Shell), which can grant attackers access to a software developer’s own computer. And it also happened to Chadwick. He said:
“The problem was the same (embedded in GitHub repositories), but this is different to the SSH keys, which could only be used to connect to an existing instance.”
“These keys were for the Amazon’s API and could be used to create new machines.” That’s what the attacker did.
1,427 instance hours
After getting word of the key being found in his repository, Chadwick logged in and found a bill for $3,420. The unauthorized user had created 20 Amazon virtual machines. All in all, they had used up 1,427 ‘instance hours’, meaning that they were probably at it for just under three days.
Chadwick wanted to save the virtual machine instances for forensic purposes, but couldn’t afford to leave them running while playing for Amazon support, so he killed them.
However, just before he did, he attached the storage volume from one to his own virtual machine instance. He found that the unauthorized user had been mining litecoins with the stolen CPU cycles.
In terms of computing performance, the attacker had made effective use of the stolen account, creating a virtual machine in the ‘compute-optimized’ class. The cc2.8xlarge instance that they chose has a 64-bit processor with 32 virtual CPUs, and 88 ‘EC2 Compute Units’.
Litecoin uses a proof of work mechanism called scrypt, which is designed to be CPU-friendly and resistant to GPUs and ASICs. This makes a high-performance EC2 instance perfect for the job, because raw CPU power is what it’s good at.
Others who have set up legitimate scrypt mining instances on EC2 (albeit mining YaCoin not litecoin – and in a different type of scrypt) claim to have seen 750 Khashes/sec in performance per instance. The attacker’s 20 machines would therefore have been mining at around 15 Mhashes/sec when running together.
Analysing the volume that he mounted on his own virtual machine, Chadwick found that the attacker had used the litecoin mining pool pool-x.eu for the coins. At 1.156GH/sec, this pool represents around 1.1% of the entire litecoin hash rate, suggesting that while mining, the attacker could have accounted for around 1% of the pool’s overall hash rate.
Out the pool
The pool’s administrator, mailing from a vacation in Thailand, preferred not to give his name, but goes by the handle ‘g2x3k’. He apologized for not picking up on Chadwick’s email. He thinks CPU cycle theft happens a lot in the litecoin mining space.
“Usually I close accounts on request,” he said, adding that he has banned IP addresses on request before. “Even if I shut them out they can still setup [a] pool or solo mine with those resources.
“I have a list of Amazon IPs already banned, since it was used at the beginning of litecoin to mine more then I thought was a fair share,” he continued.
Let’s hope for the attacker’s sake that they sold early (or for the sake of justice, that they didn’t). Chadwick found out about the instances and shut them down on Monday 16th December, which was the same day that the price of litecoin started crashing.
If the cloud thief wasn’t selling their coins as they went, then they could have lost a healthy profit.
Chadwick doesn’t believe that it would be very easy to track down the attacker. “While I’m sure that Amazon has some records (as does the pool), I would expect the person to be using Tor,” he said.
In the meantime, Amazon has stepped up and refunded Chadwick his money.
Padlock image via Shutterstock