Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Cryptojacking in cloud environments: are your controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11936
Topic starter  

TL;DR: Cryptojacking steals CPU, GPU, and cloud compute from infected browsers, endpoints, and cloud accounts, and attackers often reach exposed AWS credentials in just 17 minutes, according to Entro Security's analysis. The threat shows that visibility, least privilege, and anomaly detection matter as much for cost control as for security.

NHIMG editorial — based on content published by DigiCert: What is Cryptojacking?

By the numbers:

Questions worth separating out

Q: How should security teams stop cryptojacking in cloud environments?

A: Security teams should restrict who can create and scale compute, monitor for unexpected API activity, and revoke exposed secrets immediately.

Q: Why do exposed cloud credentials create such a fast cryptojacking risk?

A: Exposed cloud credentials give attackers a legitimate entry point, so they do not need to break in before they start using compute.

Q: What breaks when cloud permissions are broader than the workload needs?

A: Broad cloud permissions allow an attacker to provision miners, expand instances, and hide cost growth inside normal administration activity.

Practitioner guidance

  • Tighten cloud role scope Review whether service roles can create, resize, or persist compute beyond their operational need.
  • Harden secrets discovery and revocation Continuously scan for exposed API keys, tokens, and certificates across code repositories, logs, and build output.
  • Correlate identity, cost, and workload telemetry Alert on abnormal API activity, unexpected instance growth, and unexplained spend spikes in the same time window.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

  • Browser-level mitigation options, including ad-blocking and anti-tracking controls for malicious JavaScript.
  • Step-by-step guidance for detecting abnormal CPU usage and mining-like processes on endpoints and servers.
  • Cloud posture measures such as CSPM checks, least-privilege access design, and monitoring for unexplained resource spikes.
  • Network-side monitoring patterns for connections to mining pools and command-and-control infrastructure.

👉 Read DigiCert's blog on what cryptojacking is and how it works →

Cryptojacking in cloud environments: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11491
 

Cryptojacking is an identity abuse problem before it is a malware problem. The article’s cloud examples show that the mining workload is only the end state. The real failure is access that is broad enough, exposed enough, or poorly monitored enough for an attacker to turn legitimate compute into a revenue stream. For IAM and cloud teams, the question is not just whether the miner can be detected, but why the identity path made resource theft possible in the first place.

A few things that frame the scale:

A question worth separating out:

Q: Who is accountable when cryptojacking starts from exposed secrets?

A: Accountability usually spans the team that owns secret storage, the platform owner that granted the permissions, and the security function that failed to detect exposure. The practical lesson is that cryptojacking is a governance issue as much as a technical one. Teams need clear ownership for secret hygiene, access scope, and anomaly response.

👉 Read our full editorial: Cryptojacking exposes cloud and browser resource theft risks



   
ReplyQuote
Share: