Trend Micro announced on Monday that numerous hacking groups have been targeting Alibaba Cloud servers to install cryptocurrency mining malware known as "cryptojacking".
One of the challenges with Alibaba ECS, as per Trend Micro, is the absence of distinct privilege tiers configured on an instance, including all instances providing root privileges by default. This allows malicious actors who obtain access to login credentials to connect to the targeted system via SSH as root without performing any preparatory (escalation of privilege) work.
Alibaba is a Chinese technology behemoth with an international market presence, with cloud services mainly used throughout Southeast Asia.
The ECS service, in specific, is advertised as having fast memory, Intel CPUs, and favorable low-latency operations. Perhaps better, ECS comes with a security agent pre-installed to safeguard against malware such as crypto miners.
"The threat actor has the highest possible privilege upon compromise, including vulnerability exploitation, any misconfiguration issue, weak credentials, or data leakage," explains Trend Micro's report.
Moreover, the cyber attackers can use these administrative privileges to generate firewall rules that drop incoming packets from IP ranges about internal Alibaba servers, preventing the installed security agent from sensing suspicious behavior.
Owing to the ease with which kernel module rootkits and cryptojacking malware can be planted considering the elevated privileges, it is not surprising that numerous threat actors compete to take over Alibaba Cloud ECS instances.
Trend Micro has also noticed scripts that search for processes running on specific ports frequently used by malware and backdoors and terminate the associated processes to eliminate competing malware. An auto-scaling system, which allows the service to automatically adjust computing resources depending on the volume of user queries, is yet another ECS feature used by the threat actors.
This is to prevent future service disruptions and niggles caused by unexpected traffic loads, but it also provides an opportunity for cryptojackers. Abusing this while it is involved on the targeted account allows the actors to increase their Monero mining power while incurring extra costs to the instance owner.
