Malicious groups disable features in Alibaba Cloud ECS instances for Monero cryptojacking, according to Trend Micro researchers.
Cybercriminals are targeting Alibaba Elastic Computing Service (ECS) instances, disabling certain security features to further their cryptomining goals. Alibaba offers a few unique options that make it a highly attractive target for attackers, researchers noted.
According to research from Trend Micro, the Chinese giant’s cloud (also known as Aliyun) has a preinstalled security agent. While disabling security isn’t a new tactic, in this case the attackers are using a small piece of specific code in the cryptomining malware to create new firewall rules, instructing security filters to drop incoming packets from IP ranges belonging to internal Alibaba zones and regions.
Typically, when cryptojacking malware is installed in an Alibaba ECS bucket, the security agent will send the user a notification that a malicious script is running. In this case, despite detection, “the security agent fails to clean the running compromise and gets disabled,” according to Trend Micro’s analysis, posted Monday. “Looking at another malware sample shows that the security agent was also uninstalled before it could trigger an alert for compromise.”
Once it’s past the security feature, the malware then goes on to install the off-the-shelf XMRig cryptominer, which mines for Monero.
Cryptojackers Enter as Default Root Users
Targeting of Alibaba is on the rise thanks to a few unique features of the service, researchers noted, and the way that cloud instances can be configured.
“The default Alibaba ECS instance provides root access,” according to the analysis. “With Alibaba, all users have the option to give a password straight to the root user inside the virtual machine (VM).”
This is in contrast to how other cloud service providers architect their storage access, researchers pointed out. In most cases, the principle of least privilege is front and center, with different options such as not allowing Secure Shell (SSH) authentication over user and password, or allowing asymmetric cryptography authentication.
That way, if cyberattackers gain credentials, entering with only low-privilege access would require them to make an “enhanced effort” to escalate the privileges, according to Trend Micro: “Other cloud service providers do not allow the user to log in via SSH directly by default, so a less privileged user is required.”
But in a default Alibaba ECS bucket, an attacker with stolen credentials or a working initial compromise exploit would enter with the highest possible privileges, researchers said. That opens the door to the deployment of advanced payloads such as kernel module rootkits and for establishing persistence via running system services.
“Given this feature, it comes as no surprise that multiple threat actors target Alibaba Cloud ECS simply by inserting a code snippet for removing software found only in Alibaba ECS,” concluded the analysis.
Expensive Resources, Additional Payloads
In terms of impact, Trend Micro also noted that Alibaba ECS has an auto-scaling feature, so that the service will automatically expand the availability of computing resources depending on demand. This gives cryptominers unlimited resources and could result in bill shock for the victim.
“While the feature is given to subscribers at no extra cost, the increase in resource usage prompts the additional charges,” according to the analysis. “By the time the billing arrives to the unwitting organization or user, the cryptominer has likely already incurred additional costs. Additionally, the legitimate subscribers have to manually remove the infection to clean the infrastructure of the compromise.”
Also, the malware’s code is modular, so the cryptominer can “easily be replaced” with another malware to execute in the environment, researchers at the firm noted.
“Attackers can…easily replace the malicious cryptominer with another piece of malware that can potentially drive them more profit or spread to other workloads and endpoints,” they explained. “Subsequent attacks can be done on the projects or infrastructure as a result of how easy it is to infiltrate the environment with high user privileges.”
To protect themselves from threat actors stealing cloud resources, users should create a less privileged user for running applications and services within each Alibaba ECS instance, researchers recommended.
They also offered this additional guidance:
- Practice a shared responsibility model: Read through the guides, customize and enable the security layers of workloads and projects accordingly.
- Ensure there is more than one layer of malware-scanning and vulnerability-detection tools.
- Customize the security features of cloud projects and workloads: Despite the offered feature of your CSP, avoid running applications under root privilege and using passwords for SSH.
- Use public key cryptography for access.
- Follow the principle of least privilege: Limit the number of users with the highest access privileges according to their respective levels of involvement in a project or an application.
Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, “Password Reset: Claiming Control of Credentials to Stop Attacks,” on Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops.
Register NOW for the LIVE event!