As technology rapidly evolves, so do the threats that target it. Among these is cryptojacking. It involves utilizing computing power to mine cryptocurrency, a process that can lead to huge financial losses for targeted organizations.
To perform it, threat actors exploit compromised credentials through various means, highlighting the need to implement common best practices like credential hygiene and cloud hardening.
Microsoft Security recommends adopting the following practices to prevent cloud cryptojacking:
Multi-Factor Authentication
Tenant administrators should ensure that MFA is in use comprehensively across all accounts. This is especially important if the account has virtual machine contributor privileges. Users should also be discouraged from reusing passwords across services.
Risk-based sign-in behaviors and conditional access policies
Monitoring risky user alerts and tuning detections that take advantage of security information help prevent these attacks. Risk-based conditional access policies can be designed to require multifactor reauthentication, enforce device compliance, force the user to update their password, or outright block the authentication. In many cases, policies such as these can be disruptive enough to provide security teams with enough time and signal to respond or alert the legitimate user to an issue before the resource abuse begins.
Separation of privileged roles
In most resource abuse cases that Microsoft Incident Response has investigated, the initially compromised user is over privileged in some way. Thus, it is good practice to limit the number of accounts that have the virtual machine contributor role. In addition, accounts with this role should be protected by MFA and Conditional Access where possible.
By remaining vigilant and staying one step ahead, technology professionals can thwart cryptojacking attempts and ensure a secure cloud ecosystem for all users.
