Palo Alto Networks Unit 42 researchers have found a new variant of malware which has the ability to uninstall cloud security tools to take full control of Linux servers to mine bitcoins.
Rocke, a Chinese hacking group being funded by APT10 is said to have devised the new malware variant which has already publicly targeted cloud storage platforms such as Alibaba and Tencent. Those infected platforms include Alibaba Threat Detection Service, Alibaba Cloud Monitor, Alibaba Cloud Assistant, Tencent Host Security, and Tencent Cloud Monitor.
Technically speaking, the crypto mining malware doesn’t exploit any kind of vulnerability on cloud platforms, but it simply uninstalls the cloud security tools, loads on the server, takes control of it and then starts installing the mining malware.
Cisco Talos researchers are said to have found the whereabouts of Rocke Group in July 2018 last year. But it was the Unit 42 security experts who discovered that the Chinese hacking group developed crypto mining malware was slowly taking control of public clouds by uninstalling the cloud security tools and installing mining malware to satiate their financial needs.
Note 1- Servers in cloud storage farms are networked to each other and if one server gets infected with a malware, it is not that difficult to infect others in the network.
Note 2- Previously Rocke Group was found exploiting vulnerabilities in cloud services platforms such as Oracle Weblogic, Apache Struts 2 and Adobe ColdFusion to provide shell access to hackers who later used the platforms to mine Monero Cryptocurrency. Now they are seen uninstalling the cloud security tools on the CSPs and are then seen mining digital currency. In both cases, one point is common i.e. mining of cryptocurrency.
When Unit 42 researchers informed the IT staff at Tencent and Alibaba, they immediately reviewed their in-house security offerings and is said to have taken control of the situation.
Hope someone from Amazon, Azure, and Google have taken note of the current threat lurking in the cyber landscape and have reviewed the security defense policies of their respective cloud services.