Dialogue Series

Cyberthreats, Cryptojacking, and Cloud Security With A Unit 42 Threat Research Expert


The demand for cloud services has increased dramatically following the onset of the COVID-19 pandemic. Many organizations scrambled to accelerate their cloud migration plans to accommodate the sudden shift to remote work. This rapid transition, along with existing poor configurations, permissive behaviors, and lacking policies, has opened the doors for bad actors and unidentified threats to exploit organizations.

My name is Nathaniel ‘Q’ Quist and I am a Threat Researcher at Unit 42 and Prisma Cloud. Unit 42 is a global threat intelligence team that bridges threat intelligence with cloud security products to ensure that customers are protected across their entire security suite. We use our data to help Prisma Cloud provide security and compliance coverage for dynamic and multi-cloud workloads. Our team also creates a semi-annual Unit 42 Cloud Threat Report with the latest cloud threat research to help organizations around the world mature their cloud security.

With modern organizations heavily relying on technology and electronic devices every single day, it’s no secret that cybercrime has quickly become one of the fastest evolving areas of delinquency among businesses worldwide. In this episode of the DevSecTalks series, I sat down with the host of DevSecTalks, Ashley Ward, to take a closer look at my role with Unit 42 and discuss some of our recent cryptojacking and cloud threat research.

What Is Cryptojacking?

To understand cryptojacking, it’s important to first acknowledge crypto mining. An easy way to understand crypto mining is to think of it as printing money, but using digital currency instead of physical materials. Cryptojacking is a malicious form of crypto mining that involves gaining unauthorized access to someone else’s laptops, computers, and mobile devices to mine cryptocurrency.

This type of cyberattack targets a system or device with the intent to utilize its energy and resources for crypto mining. Unlike ransomware, which disables user access to the system, attackers who use cryptojacking often remain undetected to the unsuspecting victim.

Cryptojacking may appear as less of a threat to organizations, but the minimal risk and effort of the attack makes cryptojacking a danger to underlying system vulnerabilities. A system can be easily hijacked with just a few lines of code or a sneaky phishing email. The common warning signs of cryptojacking, such as slow response times, overheating devices, and increased processor usage, are typically the only indicators that the system is compromised and can easily go unnoticed.

The Risks Of Cryptojacking For An Organization

Cryptocurrencies, such as Bitcoin and Monero, have grown in popularity, market value, and accompanying cybercrime. The anonymous nature of cryptocurrency provokes the interest of cybercriminals, resulting in new cyber threats posed to acquire financial gain.

While cryptojacking may seem minuscule compared to other malware, the vindictive act of cryptojacking can cause severe financial and performance consequences for organizations over time. According to The Digiconomist’s Bitcoin Energy Consumption Index, a single Bitcoin transaction takes 1,544 kWh to complete, which equates to approximately 53 days of power for the average U.S. household.

With hundreds of existing cryptocurrencies and unique crypto blockchain features, a cryptojacking incident could easily disrupt critical control systems, or even an organization’s entire network.

If a company device is hijacked, removing the malware is critical to limiting the amount of damage that can be done to the system. Neglected malware will continue to infect the device, continue mining the cryptocurrency, and evolve in threat significance along the way.

The Latest Cryptojacking Trends, According To The Unit 42 Cloud Threat Report

My team at Unit 42 provides threat research to help enhance security protections for products and services that stop advanced cybersecurity attacks. Our 1H 2021 Unit 42 Cloud Threat Report had some interesting findings relating to the COVID-19 pandemic and its correlation with cryptojacking.

Our research shows that crypto mining rates have just now begun to decrease since spiking during the peak of the pandemic. Our global findings state that 23% of organizations with cloud workloads experienced cryptojacking from July 2020 through September 2020, compared to 17% from December 2020 through February 2021. This is the first and only dip in cryptojacking operations that we’ve come across since we started tracking the activity in 2018.

As a Unit 42 Threat Researcher, my job involves digging into threats that are impacting cloud environments from an external perspective. Our research indicates that 30% of organizations expose some form of sensitive content to the internet, allowing virtually anyone to access that data. This type of exposure can be detrimental to organizations because it poses significant risks of unauthorized access, exposure of sensitive information, and potential data breaches.

To mitigate the threat of malware or threat exposure, we strongly encourage organizations to build a cloud security program focused evenly around all phases of the software development lifecycle (SDLC). Doing so allows organizations to create and optimize sustainable cloud security programs that are scalable and have the ability to accommodate unpredictable events that may take place in the future.

Enhancing Cloud Security With Infrastructure as Code (IaC)

Outside of cybercrime, our research at Unit 42 includes navigating the challenges of securing cloud environments to implement effective multi-cloud security strategies. Cloud environments lack hard infrastructure. Because of this, it’s important to determine how to stand up new systems and dynamically scale the cloud to manage the cloud infrastructure. One of the best solutions for this is a process known as Infrastructure as Code.

Infrastructure as code (IaC) refers to the practice of controlling, deploying, and improving cloud infrastructure using declarative templates while leveraging DevOps processes. IaC templates are infrastructure scripts that dynamically build to complete the written requests. When consistently scanned for common security vulnerabilities, IaC templates help to secure cloud infrastructure during its lifecycle—from development through production.

Cybercriminals and attackers actively search for vulnerabilities created through ineffective cloud governance. Utilizing IaC templates is an effective solution to automatically audit cloud environments for signs of weaknesses and misconfigurations. Our research at Unit 42 indicates that scanning IaC templates for common security vulnerabilities is a critical component for effective security monitoring and auditing. To mitigate potential threats and enhance cloud security, IaC templates need to be scanned every single time they are created or updated.

Expand Your Threat Intelligence With Unit 42

Unit 42 threat research spans many different security topics, including cyberattacks, malware, and cloud security. The threat intelligence research team provides valuable insights and actionable recommendations that any organization can implement immediately to begin protecting their cloud environments.

With a deeply rooted reputation for delivering industry-leading threat research, our team offers years of experience analyzing, detecting, and preventing cyberattacks.

Interested in learning more? Download the latest 2022 Unit 42 Ransomware Threat Report.

Did you enjoy this episode of DevSecTalks? Visit our website and tune in to our other sessions to hear from more DevSec industry experts who are building the future of cloud security.