Hackers Hijack Alibaba Cloud Servers With Crypto-mining Malware



Trend Micro reported on Monday that several hacking groups were targeting Alibaba Cloud servers to install cryptocurrency mining – “cryptojacking” – malware.

The company said it discovered malware created specifically for Alibaba Elastic Compute Service (ECS) instances that are supposed to provide “fast memory and the latest Intel processors to help you power your cloud applications and achieve faster results with low latency ”. Or, in this case, to mine cryptocurrency. (mainly Monero.)

This malware allegedly uninstalled the security agent built into ECS, then created firewall rules that drop “incoming packets from IP address ranges belonging to Alibaba internal zones and regions.” The default configuration of the service also provides root access to the instance, and it appears that some users have not fixed this flaw.

Trend Micro explained:

“In this situation, the threat actor has the greatest possible privilege in the event of a compromise, including exploitation of vulnerabilities, any misconfiguration issues, weak credentials, or a data breach. Thus, advanced payloads such as kernel module rootkits and persistence through running system services can be deployed. Considering this feature, it is not surprising that several malicious actors target Alibaba Cloud ECS simply by inserting a code snippet to remove software found only in Alibaba ECS. “

Trend Micro said cryptojackers will target Alibaba as well, as ECS scales automatically based on how much resource a given customer uses. Cryptocurrency mining would cause the ECS customer to use more computing power, meaning they would end up paying more because they were compromised.

Alibaba is not the only cloud service provider (CSP) targeted by hackers. Trend Micro said it “found these samples sharing common features, functions, and functionality with other campaigns that also target CSPs in Asia, such as Huawei Cloud.” It seems even cryptojackers are moving their infrastructure to the cloud.

“We contacted the Alibaba Cloud team via their contact details prior to posting this blog,” Trend Micro said, “and we are awaiting their response regarding this concern.” So far, it seems there hasn’t been one. Alibaba customers can learn more through Trend Micro’s report.



Comments are closed.