Threat actors are compromising Alibaba Cloud infrastructure to deploy cryptocurrency mining malware there comes a warning from Security researchers.

The Chinese tech giant is a popular choice for infrastructure-as-a-service (IaaS) in South-East Asia. Yet, experts warned that its Elastic Computing Service (ECS) instances are also an increasingly common target for financially motivated hackers.

Advertisements

Alibaba ECS comes with a security agent; some actors can uninstall or disable it on compromise. Even if it is still running and detects a malicious script, it is then the customer’s responsibility to take action, said Trend Micro. Customers must take care to configure the product properly, as the default Alibaba ECS instance provides root access.

The threat actor has the highest possible privilege upon compromise, including vulnerability exploitation, any misconfiguration issue, weak credentials, or data leakage. Thus, advanced payloads such as kernel module rootkits and achieving persistence via running system services can be deployed. This feature, it comes as no surprise that multiple threat actors target Alibaba Cloud ECS simply by inserting a code snippet for removing software found only in Alibaba ECS.

Alibaba ECS also has an auto-scaling feature that automatically adjusts computing resources based on the volume of user requests. This can run up additional charges for customers in the background if exploited by crypto mining malware.

Trend Micro noted that such is the popularity among threat actors of Alibaba Cloud and other regional players like Huawei Cloud that it has observed attackers removing rivals from inside compromised infrastructure.

The security vendor urged customers to:

  • Enhance CSP protection with their own third-party malware-scanning and vulnerability detection tools.
  • Practice the principle of least privilege.
  • Customize the security features of cloud projects and workloads.
Advertisements

Indicators of Compromise

0518b05f7e5f5f2d53dea953390de898ad92bad03b3f3ac7647a50cd74919cd9Coinminer.Linux.MALXMR.PUWENG
056e6a63c020a91bb62ca4675161521bcd20ab31edf27df146c8bbb8c9933e71Coinminer.Linux.MALXMR.PUWENG
0e1f59211cccea78be3d1eb2dbd78a99c2e99bf2d3bd397472816fbf52df80acCoinminer.Linux.MALXMR.PUWENG
19c4c20e5cf6982e252c4a1a7b65760a9f8deb36c2550bb008e99022d73e282eCoinminer.Linux.MALXMR.PUWENG
1bb01d884080f44cb6c7dfb13757fa9a4b97111370da9a912cc5670bd5226d44Coinminer.Linux.MALXMR.PUWENG
3c66aeb28dc19df677c2c21d25a27faa6539e633fc20d96fc3a6ab22319bd60aCoinminer.Linux.MALXMR.PUWENG
4093350dcdae9ac2697d840b6b5634ef9cece537034312d9200f3eb9017c4611Coinminer.Linux.MALXMR.PUWENG
50319faab2365b228c83576cbf8846b2c7f565a5d05d07dfa12811e9ed9189dbCoinminer.Linux.MALXMR.PUWENG
558be918f8873d0810df7eaaf7b847dfa45f1a9bbfdc315667c6f53b3f4af57aCoinminer.Linux.MALXMR.PUWENG
5d12168d29b4ff6ece020169bfbcc8bfd7dcf4553f54b46c42681f58f12f3848Coinminer.Linux.MALXMR.PUWENG
6038dc51acbf2263bbcec340c78bbe740fcd7ea59287be430068954937996aeaCoinminer.Linux.MALXMR.PUWENG
611c098efee6ea0f654d715acfa1d70554db9b0951a0b97fa864cb8bc48641baCoinminer.Linux.MALXMR.PUWENG
71b478d4ad418cfb6ec620ea213a3f5c6a64bd34f23d8f43de81df01465bcbadCoinminer.Linux.MALXMR.PUWENG
77453da8a4cb1dcf945ed5fb73028d7f0abbe1162a3d132bcd5055456c0a9e9fCoinminer.Linux.MALXMR.PUWENG
8fe2789d25564597a121b3f1e83edf245a096d655f3c37bf12e281029034a4deCoinminer.Linux.MALXMR.PUWENG
a421f42e290fc6729063d69cd3d6ff66ae683a1cce11b074d2d658f4b9a74f7bCoinminer.Linux.MALXMR.PUWENG
A927dada21046601ba304426f9a4079407d878c620ab8477fb2a37bff1b66754Coinminer.Linux.MALXMR.PUWENG
ab12b5d03f8467a1089d3d40ef9c4a54fb16ee61bb68714040e9edf96b5e763fCoinminer.Linux.MALXMR.PUWENG
ae7a8d13ed53a079ccdae345687546c9c247daa13f2e993783844fc2b8b806acCoinminer.SH.MALXMR.UWEKF
bfef5a7fb44b8899b699be6d1f3441f09b436131d7926c66eadb06e28da4c949Coinminer.Linux.MALXMR.PUWENG
c5926726f78c64b24fb01270e59a613b329889f434cbe4f6ba31b36c39d36b8eCoinminer.Linux.MALXMR.PUWENG
c8895af7e57cf693d1dde9b3a361d03f14be0cdb2ee9c121496ea0315f06636aCoinminer.SH.MALXMR.UWEKF
cc5d9689b587da414e094d6b63dc3ebff15b53725decb64d0418dc6ce44c3ef9Coinminer.SH.MALXMR.UWEKF
d6ed14600c58dc6b8f81eebed597e080333e4f0bcdecf607981c74c9371d0cd5Coinminer.Linux.MALXMR.PUWENG
de30d5ff514103e95200d711afffb191fc38a4a442a61078dbd7dc78b71ad6fcCoinminer.Linux.MALXMR.PUWENG
e20a0566974934e8a8cc44ece0e700963e5542039212117420f7756d89d4e551Coinminer.Linux.MALXMR.PUWENG
e733900008aa81c172ae959a58d56bbfcc1e91f1214061f607113bb45cc23aacCoinminer.Linux.MALXMR.PUWENG
eac4077aa752e12d264aea78bac9bbfe2f21ef14e3eec2e9d4132031ea89b8a1Coinminer.SH.MALXMR.UWEKF
f7dc1998c6ea802a9db30a1dfd777e00de09f498ad1266b46ae16c301e4e0f63Coinminer.Linux.MALXMR.PUWENG