Wiz

Proof of storage crypto miners

We explore “proof-of-storage" cryptocurrencies like Chia, the potential for proof-of-storage cryptojacking attacks, and steps defenders can take to detect them.

6 minutes read
Scott Piper

A 2021 report from Google’s Cybersecurity Action Team mentioned that in 50 compromised Google Cloud instances they had investigated, 86% were used for cryptocurrency mining. It mentioned a lesser-known cryptocurrency they had seen, named Chia. The concept of using compromised resources for cryptocurrency mining is referred to as cryptojacking. There are a lot of different cryptocurrencies, such as Bitcoin, Ethereum, and Monero. These use the CPU or GPU of the machines in what is known as “proof-of-work." This post will explore an alternative cryptocurrency group known as “proof-of-storage", which uses large amounts of storage space instead of compute. Chia is one such cryptocurrency, and one that we’ve detected in customer cloud environments. 

What are proof-of-storage cryptocurrencies, and which are likely to be used in cryptojacking? 

Before I begin, I want to warn cryptocurrency enthusiasts that this post is going to grossly oversimplify a lot of things.  It will also use pricing and stats from the time when it was written. 
 
The total global value for all cryptocurrencies of any type is about $2T, with Bitcoin making up nearly half of that. The market cap for all proof-of-storage coins is less than 1% of that, with Filecoin at $3.8B, Chia at $300M, Signum at $3M, and Arweave, Storj, and Siacoin all under $1M. Some of these coins are referred to as “proof-of-space-time," “proof-of-capacity," and other terms, but for our interests, we’ll use “proof-of-storage" as a generic term for coins that make use of large amounts of storage space (ex. hard drive space). 

Bitcoin was the first cryptocurrency and was launched in 2009. The first proof-of-storage coin was Signum (formerly known as burstcoin) in 2014, with Filecoin released that same year. Chia was created in 2021 by the author of the BitTorrent protocol. 

Many of the proof-of-storage coins are used to store actual data for others. These function like a distributed file storage service. One group (the miners) makes their hard drive space available for others to use, who then pay for that service. Filecoin works like this and has 28 EB of storage space available, of which 2 EB are in use. One EB (Exabyte) is one thousand PB (Petabytes) or one million TB (Terabytes).   

In order to ensure data resiliency, the miners must pay an amount upfront as collateral, and then are fined if they don’t respond to data requests in a timely manner. This helps ensure the miners are really storing the data and making it accessible. The minimum amount of storage miners must make available in Filecoin is about 11 TB, which requires a collateral payment of about $500. Enthusiasts for this cryptocurrency are cringing at how much I have glossed over, but the point is that you need to front some money to begin mining, and that there are penalties if you lose data or otherwise are not able to respond in a timely manner to requests. For this reason, I believe Filecoin and similar coins have not been used for cryptojacking. Cryptojackers have less control over the durability of the resources they steal, and so would be more likely to pay the penalties — therefore this seems like it would be less compelling to them. 

Chia differs from many of the proof-of-storage coins in that it does not store useful data, and therefore there is no collateral money paid up front. If a miner loses the data they were expected to have stored, or they do not respond to requests about it in a timely manner, then they will simply lose the chance to make money. This makes Chia more useful for cryptojackers who may lose access to “their” miners at any time as they are discovered and remediated. 

Interest in different cryptocurrencies ebbs and flows with their prices and difficulty of profiting from mining. Chia’s price has reduced dramatically from around $1500 in 2021, down to around $33 today, which has reduced some of the interest in this cryptocurrency. However, it still seems to be the most compelling proof-of-storage coin for cryptojackers due to there not being a need to pay money upfront. 

Chia mining in the cloud 

Cryptocurrency mining of any sort tends to not be cost effective in cloud environments, and cloud providers ban cryptocurrency mining on their platforms. However, cryptojackers don’t worry about cost effectiveness (because they won’t be paying the bill) or terms of service violations.  

Proof-of-work mining can abuse any sort of compute, such as EC2 instances, containers, or Lambda. Similarly, proof-of-storage could abuse any sort of storage. Therefore, someone could use multiple, massive EBS volumes, or they could use S3, along with many of the other storage options. We’ve seen one tutorial (that was removed) that showed how to mount an S3 bucket as a local filesystem on an EC2 instance and perform mining like that.  

Chia generates files that are 108GB in size. Storing that much data in S3 will result in storage charges of $2.48/mo, in addition to access charges. The estimated earnings from that are $0.03/mo, meaning someone would be losing money by doing this. This is a very bad investment when you have to pay for that cloud bill, but cryptojackers are relying on someone else to pay it. This also may not seem like much money, but keep in mind that this can be scaled dramatically. The cryptojacker might make an impressive $27K/mo by using 110 PB, which will result in a cloud bill of $2.5M/mo, or they could scale that up or down even further. At some point, they would likely disrupt the coin's price by becoming the largest miner, but currently this coin uses 33 EB of storage space across all miners. 

Any sort of storage can be used for this, so one shouldn’t simply watch their S3 bill. As an interesting aside, we found some discussion online of people trying to use Filecoin storage to mine Chia as a way of arbitraging one coin against another. This is not cost effective, however. 

The dangers of proof-of-storage cryptojacking 

There has been a lot of attention paid to the threats of abusing compute for cryptocurrency mining, but much less to abusing storage. One online storage company capped the amount of storage that could be used in their “unlimited tier” in 2023 where they specifically mentioned Chia mining as one of the reasons for that change. As unlimited storage plans have been terminated on other platforms, we wonder if Chia mining was also a reason there. 

Proof-of-storage cryptojacking presents some unique concerns: 

  • When cryptojacking is used against compute resources, there are a number of service quotas on AWS that an attacker is likely to bump into that require them to request limit increases. A common service limit people reach is the maximum of 20 EC2s per region before they need to request an increase from AWS. An S3 bucket does not have similar quotas. Although there are limits on the number of buckets someone can create, there are no limits on the amount of data someone can put into a single S3 bucket. On Azure, there is a limit of 250 storage accounts that can be created per subscription per region, with a 5PB limit per storage account. With roughly 60 regions in Azure, this means an account can use 7.5 EB. GCP doesn’t appear to have storage limits. 

  • When AWS EC2 instances or other compute resources are created, there are CloudTrail events which makes proof-of-work cryptojacking easier to identify and remediate. By default, CloudTrail does not record data level events for S3, and some types of data activity do not have any audit logs. The creation of an S3 bucket or other types of data storage resources will create CloudTrail events, but use of an existing resource may not be logged. 

Detection 

Detection can be done in the following ways: 

  • Cloud users should monitor their costs for any unexpected increases.  

  • The binaries used for cryptocurrency mining can be detected via static or runtime detection based on their hashes or content. Chia is an open-source project, and makes the binaries available for download as releases in their Github repo: https://github.com/Chia-Network/chia-blockchain/releases.  There are also related projects: chiapos, madmax, and bladebit. The large 108GB storage files start with the string “Proof of Space Plot“.

  • Port 8447 (TCP) needs to be open on each miner, so identification of that port being accessible may indicate it is being used for Chia mining. 

  • Network lookups to subdomains of chia.net indicate use of this crypto miner. 

  • Any indications of a compromised user or resources should be investigated. 

  • Wiz customers can use our built-in detections for Chia miners, and check for any workload with port 8447 open

Conclusion 

The use of storage space for cryptomining presents some interesting challenges for defenders, but many of the concepts and defenses against proof-of-work cryptomining carry over. Proof-of-storage cryptojacking is not nearly as popular as proof-of-work, but it is something defenders should be aware of. 

Tags
#Research#Security

Continue reading

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo