Malicious actors are hijacking Alibaba Cloud, infrastructure to deploy cryptocurrency mining malware, researchers at cybersecurity firm Trend Micros have warned.
Alibaba Cloud (aka Aliyun), a subsidiary of Chinese tech giant Alibaba Group, provides cloud computing services to online businesses and Alibaba's own e-commerce ecosystem. It offers cloud services that are available on a pay-as-you-go basis, and include Elastic Compute, Data Storage, Relational Databases, Big-Data Processing, Anti-DDoS protection and Content Delivery Networks (CDN).
According to Trend Micro, Alibaba Elastic Computing Service (ECS) instances are an increasingly common target for financially motivated cybercriminals, as they have some issues that could be exploited to install malware.
One of the issues is the lack of different privilege levels configured on an instance, and another is that the default Alibaba ECS instances provide root access.
“While other CSPs provide different options ranging from the least privileged ones — such as not allowing Secure Shell (SSH) authentication over user and password and only allowing asymmetric cryptography authentication — other CSPs do not allow the user to log in via SSH directly by default, so a less privileged user is required,” the researchers said.
“For instance, if the login secrets are leaked, having low-privilege access would require attackers enhanced effort to escalate the privileges. With Alibaba, however, all users have the option to give a password straight to the root user inside the virtual machine (VM).”
Although Alibaba ECS instances come with a security agent preinstalled, some actors can uninstall or disable it on compromise by elevating privileges and creating firewall rules that drop incoming packets from IP ranges belonging to internal Alibaba servers to prevent the installed security agent from detecting suspicious behavior.
“Despite detection, the security agent fails to clean the running compromise and gets disabled. Looking at another malware sample shows that the security agent was also uninstalled before it could trigger an alert for compromise. The samples then proceeded to install an XMRig. Examining the samples further shows that the cryptominer can easily be replaced with another malware to execute in the environment,” Trend Micro said.
Once obtaining the highest possible privilege on the system, the attacker can deploy advanced payloads such as kernel module rootkits.
“Given this feature, it comes as no surprise that multiple threat actors target Alibaba Cloud ECS simply by inserting a code snippet for removing software found only in Alibaba ECS,” the researchers noted.