Posted on November 16, 2021 at 6:47 PM
Researchers Discover Hackers Planting Cryptominer Malware On Alibaba Cloud
A recent report reveals that hackers are exploiting Alibaba Elasticity Computing Services (ECS) instances to install cryptominer malware.
According to the report, the threat actors are taking advantage of the available server resources for their personal gains.
Alibaba’s cloud services are mostly used in Southeast Asia but still command a global market presence. The ECS comes with a pre-installed security agent that promises low-latency operations and offers protection against malware such as cryptominers.
Based on the research from Trend Micro, the threat actors are making use of specific code in the programming malware to develop new firewall rules. They instruct security filters forthcoming packets from IPs coming from internal Alibaba regions and zones.
Researchers say although disabling security isn’t something new, the hackers on this mission are using unique approaches that can guarantee results.
The Threat Actors Disable Security Agent
Generally, when a threat actor installs a cryptojacking malware in an Alibaba ECS bucket, the security agent usually sends a notification to the user informing them that a running malicious script has been detected. But in this case, the security agent fails to stop the running malicious script despite the detection. The Trend Micro researchers also noted that the security agent was uninstalled even before it could send an alert for compromise.
This means that the security that was put in place to trigger any sign of malware infiltration is systematically disabled to allow the malware to have express access.
Once it crosses this security feature, it proceeds with the installation of the off-the-shelf XMRig cryptominer, which is then used to mine Monero.
Researchers also noted that the new configuration process of cloud instances has made it more apparent to target Alibaba. The researchers also pointed out that more threat actors are looking to have access to the systems due to a few new features of the service.
They pointed out that the ECS allows the threat actors to have root access to systems.
The service allows users to provide their passwords directly to the root user in the virtual machine. This makes it easier for threat actors to launch their attacks.
But other cloud services offer a more secure platform for users, according to the researchers. They use different security options to keep users’ details safe. These include allowing asymmetric cryptography authentication and not allowing Secure Shell (SSH) authentication over user and password.
Alibaba’s Cloud Service Gives Threat Actors High Privilege
With these security measures, the threat actors will only have low-privilege access even if they succeed in gaining credentials. This means they would need more technical details to get above the low privileges, which keeps them out in most cases.
However, with Alibaba’s service allowing the user to log in through SSH directly by default, it leaves their safety largely in doubt.
In Alibaba’s ECS bucket, a threat actor with initial compromise exploits or stolen credentials can have access with the highest possible privileges.
The researchers added that such privileges leave the hacker the room to deploy advanced payloads like kernel rootkits.
As a result, more threat actors are now flooding the AlibabaCloud ECS by planting a code snippet on the Alibaba ECS. The researchers also noted that Alibaba ECS uses an auto-scaling feature, which automatically expands the computing resources availability. This provides unlimited resources for cryptominers to plant malware into the victims’ systems and steal crypto funds.
The Alibaba feature is offered to subscribers for free. However, there are additional charges for the increase in resource usage. Before the bill arrives at the unwitting user or organization, the crytyptominer has most probably incurred additional costs. To wipe the device of the compromise, the user or subscriber would have to manually remove the infection.
Additionally, the researchers noted that the threat actors use modular code for the malware. This means that it will be easier to replace the cryptominer in case it becomes detected. Another malware can be exchanged with the initial malware to continue the entire hijacking process.
The threat actors can also choose to replace the malicious cryptominer with another one that can guarantee them more profits.
Users Advised To Provide More Layers Of Security
Trend Micro researchers stated that users should practice a shared responsibility model and enable the security layers of projects and workloads accordingly.
They can also protect themselves from threat actors stealing cloud resources by creating a less privileged user to run applications in each Alibaba ECS instance. Additionally, users should make sure there is more than one layer of vulnerability detection and malware-scanning tools that protect their machines.