Alibaba Cloud Infrastructure Cryptojacked

Threat actors are compromising Alibaba Cloud infrastructure to deploy cryptocurrency mining malware there comes a warning from Security researchers.

The Chinese tech giant is a popular choice for infrastructure-as-a-service (IaaS) in South-East Asia. Yet, experts warned that its Elastic Computing Service (ECS) instances are also an increasingly common target for financially motivated hackers.

Alibaba ECS comes with a security agent; some actors can uninstall or disable it on compromise. Even if it is still running and detects a malicious script, it is then the customer’s responsibility to take action, said Trend Micro. Customers must take care to configure the product properly, as the default Alibaba ECS instance provides root access.

The threat actor has the highest possible privilege upon compromise, including vulnerability exploitation, any misconfiguration issue, weak credentials, or data leakage. Thus, advanced payloads such as kernel module rootkits and achieving persistence via running system services can be deployed. This feature, it comes as no surprise that multiple threat actors target Alibaba Cloud ECS simply by inserting a code snippet for removing software found only in Alibaba ECS.

Alibaba ECS also has an auto-scaling feature that automatically adjusts computing resources based on the volume of user requests. This can run up additional charges for customers in the background if exploited by crypto mining malware.

Trend Micro noted that such is the popularity among threat actors of Alibaba Cloud and other regional players like Huawei Cloud that it has observed attackers removing rivals from inside compromised infrastructure.

The security vendor urged customers to:

• Enhance CSP protection with their own third-party malware-scanning and vulnerability detection tools.
• Practice the principle of least privilege.
• Customize the security features of cloud projects and workloads.

Indicators of Compromise