Cryptomining Malware Targets Alibaba ECS Instances
Crytomining Malware Strikes Again.
Alibaba ECS Instances (Elastic Computing Service) have become the hackers’ targets, as these are actively hijacking them for cryptomining malware deployment purposes.
Cryptomining Malware Hijacks Alibaba ECS Instances: Details
TrendMicro researchers published a report yesterday on this topic. As the experts say, the problem seems to lie in the fact these instances provide default root access, meaning that Alibaba ECS does not have various privileges levels configuration. This way, hackers who manage to obtain login credentials can also achieve access to the server that is targeted by means of root SSH.
Firewall rules creation is also possible through these elevated privileges. The rules help with incoming packet dropping related to the internal Alibaba server’s IP ranges. This way, hackers will have the possibility to bypass the installed security agent, as this will not be able to identify anomalous activity.
Furthermore, the next step hackers can take is to stop the device security agent by means of specific scripts. According to the researchers under discussion, they also identified different scripts looking for different processes existing on usual malware used ports. These intend to remove competition by terminating processes associated with another concurrent malware.
The elevated privileges facilitate the path to kernel module rootkits planting and cryptomining malware deployment.
An auto-scaling system is yet another feature targeted by the threat actors. Depending on the user requests’ volume, through this kind of system, the service can modify computer resources automatically. Even if this helps with service interruption prevention, cryptojackers might benefit from this. Threat actors could trigger supplementary costs for the instance owner and also extend their Monero mining capacity when abusing this in active mode.
The researchers informed Alibaba of these findings, but there is no reply at the moment.
Cloud Services Represent a Target for Hackers
Cryptominers target cloud services more and more often. Let’s remember when hackers started to abuse not properly configured Docker servers or when a new version of cryptomining malware started targeting the Huawei cloud.
How Can Heimdal™ Keep You Safe?
Lack of proper management of privileges can lead to security breaches triggering business disruptions. We have just written an article on what is Privileged Access Management and how you can correctly implement a PAM strategy.
But what really can help you is our Privileged Access Management solution, an automated product that lets you escalate or deescalate users’ rights from anywhere in the world, supports your audit practices as sessions are tracked and logged and it automatically stops access when anomalous activity is detected.