Researchers on Monday reported that they found threat actors who attacked Alibaba’s cloud-based Linux servers, disabling features in Alibaba’s Elastic Computing Service (ECS) instances to conduct illicit mining on the Monero cryptocurrency.
In a blog post, Trend Micro researchers explained that the ECS instances come with a preinstalled security agent that the threat actors try to uninstall upon compromise. In this case, the Trend Micro researchers found a piece of specific code in the malware that creates firewall rules that drop incoming packets from IP ranges that belong to internal Alibaba network zones and regions. The threat actor then has the highest possible privilege upon compromise, including vulnerability exploitation, any misconfiguration issues, weak credentials, or data leakage.
The researchers did not specify which groups are responsible, but did say that Kinsing and TeamTNT, among others, operate in this field. The two common characteristics of these hacks are that they remove competing threat actors who are also mining for cryptocurrency and disable security features found in the victim’s machine.
While the Trend Micro blog focuses on Alibaba, every Elastic Compute Provider can still suffer from cryptojacking, said Kevin Breen, director of cyber threat research at Immersive Labs. Breen said this includes the large ones like AWS, Azure, and Google Cloud all the way through to the smaller setups like Heroku and Redshift that focus more on deploying containers and applications rather than full virtual machines.
"It’s not unusual to see attackers uninstall security software in these situations,” Breen said. “In fact, some even check for, and remove, any other existing cryptominers in ‘king of the hill’ style battles. Most of these styles of attack are automated, pre-defined scripts set to run against large IP ranges, either to try the default set of credentials or to test for common vulnerabilities. If it works, the bot will run the script and move on to the next IP address in the list. As such, limiting the exposure of instances to the public by correctly setting network policies and security groups is a good first layer of defense.”
Saryu Nayyar, CEO at Gurucul, said it’s become clear that cloud computing is not a panacea for cybersecurity, as demonstrated by Alibaba. Nayyar said Alibaba’s cloud-based Linux servers were used for cryptomining, enabling hackers to use the stack to create new cryptocurrency.
“While computing power is relatively inexpensive, it’s likely that hackers were able to steal substantial compute cycles for mining purposes,” Nayyar said. “This is the sort of unusual activity that can be caught by a monitoring regimen that can identify that kind of activity and flag it for remediation. Enterprises can look at both traffic and CPU activity to identify a high risk of a hack and address it automatically.”
John Bambenek, principal threat hunter at Netenrich, added that the gold rush of cloud adoption comes with a misunderstanding of where the lines of the cloud provider end in providing security. Bambenek said in the Alibaba case, instances that were configured in an insecure fashion were used for cryptojacking, a problem that could have been prevented if the “Sec” in DevSecOps was actually there and functional.
“Organizations need to be aware where their cloud security responsibilities are because configuring IaaS instances securely is almost always on the customer,” Bambenek advises.