Full Report
We explore “proof-of-storage" cryptocurrencies like Chia, the potential for proof-of-storage cryptojacking attacks, and steps defenders can take to detect them.
Analysis Summary
# Tool/Technique: Chia Cryptojacking
## Overview
The document discusses cryptojacking, specifically focusing on "proof-of-storage" cryptocurrencies like Chia, which utilize large amounts of disk space for mining instead of computational power (CPU/GPU) used by proof-of-work coins (like Bitcoin or Ethereum). Compromised cloud instances are being used to mine Chia to avoid the costs associated with the cloud provider.
## Technical Details
- Type: Malware/Technique (Cryptojacking leveraged via Proof-of-Storage)
- Platform: Cloud Environments (AWS EC2, S3, GCP, general compute/storage resources)
- Capabilities: Utilizing a victim's allocated storage resources (like EBS volumes or S3 buckets) to generate Chia cryptocurrency plots.
- First Seen: Chia crypto created in 2021. Attacks observed in 2021 context.
## MITRE ATT&CK Mapping
This activity primarily maps to resource abuse:
- TA0008 - Lateral Movement (Less direct, but relates to resource utilization if spread)
- TA0011 - Command and Control (C2 communication for mining operations)
- TA0016 - Resource Hijacking
- T1496 - Resource Hijacking
- T1496.002 - Cloud Instance
- T1496.003 - Storage
## Functionality
### Core Capabilities
- Leveraging cloud storage (e.g., mounting S3 buckets as filesystems) for proof-of-storage mining.
- Generating Chia 'plots', which are large files (108GB each) required for mining.
- Exploiting the lack of upfront collateral requirements in Chia mining, making it attractive to cryptojackers who face little consequence if discovered and disabled.
### Advanced Features
- Exploiting the potentially lower auditability of data-level activities (like S3 usage) compared to compute resource creation (e.g., AWS CloudTrail default configuration missing S3 data events).
- Scaling attacks across numerous compromised cloud resources (e.g., utilizing large EBS volumes or S3 capacity).
## Indicators of Compromise
- File Hashes: (Not explicitly listed, but derived from open-source projects like chia-blockchain, chiapos, madmax, bladebit)
- File Names: Chia plot files start with the string “Proof of Space Plot“ (108GB in size).
- Registry Keys: (Not applicable/listed)
- Network Indicators: Network lookups to subdomains of `chia[.]net`.
- Behavioral Indicators: Port 8447 (TCP) being open on miner systems. Unexpected sharp increases in cloud storage or compute costs.
## Associated Threat Actors
- Unspecified cryptojacking groups who target cloud environments. The analysis highlights the general threat across platforms.
## Detection Methods
- Static/Runtime detection of known cryptocurrency mining binaries (e.g., Chia, chiapos, madmax, bladebit).
- Monitoring system costs for unexpected spikes.
- Identifying processes creating or interacting heavily with very large storage files (108GB starting with "Proof of Space Plot").
- Detecting network communication to `chia[.]net`.
- Signature detection for the open port 8447 (TCP).
## Mitigation Strategies
- Cloud users should rigorously monitor billing and cost reports for abnormal increases.
- Ensure comprehensive auditing (e.g., CloudTrail data events enabled for S3) to log data-level activity.
- Implement workload monitoring to detect known mining binaries or unusual port listening (8447).
## Related Tools/Techniques
- Proof-of-Work Cryptojacking (e.g., Monero mining using CPU/GPU).
- Related Chia tools mentioned: `chiapos`, `madmax` (chia-plotter), `bladebit`.