Cryptojackers Disable Alibaba Cloud Security Agent

  • Security experts have warned that threat actors are compromising Alibaba Cloud (Aliyun) infrastructure to deploy cryptocurrency mining malware.

    The Chinese tech giant is a popular choice for infrastructure-as-a-service (IaaS) in South-East Asia. Yet, cybersecurity software company Trend Micro warned that its Elastic Computing Service (ECS) instances are also an increasingly common target for financially motivated hackers.

    Several features of the platform are being targeted by these groups to enhance their chances of success, according to the report.

    Although Alibaba ECS comes with a security agent, some actors can uninstall or disable it on compromise. Even if it is still running and detects a malicious script, it is then the customer’s responsibility to take action, said Trend Micro. Customers must take care to configure the product properly, as the default Alibaba ECS instance provides root access.

    “In this situation, the threat actor has the highest possible privilege upon compromise, including vulnerability exploitation, any misconfiguration issue, weak credentials or data leakage. Thus, advanced payloads such as kernel module rootkits and achieving persistence via running system services can be deployed,” the researchers wrote.

    “Given this feature, it comes as no surprise that multiple threat actors target Alibaba Cloud ECS simply by inserting a code snippet for removing software found only in Alibaba ECS.”

    Alibaba ECS also has an auto-scaling feature that automatically adjusts computing resources based on the volume of user requests. However, this can run up additional charges for customers in the background if exploited by cryptomining malware.

    Trend Micro noted that such is the popularity among threat actors of Alibaba Cloud and other regional players like Huawei Cloud that it has observed attackers removing rivals from inside compromised infrastructure.

    The security vendor urged customers to:

    • Enhance CSP protection with their own third-party malware-scanning and vulnerability detection tools.
    • Practice the principle of least privilege.
    • Customize the security features of cloud projects and workloads.

    It claimed to have reached out to Alibaba to respond to its findings but had not heard a reply at the time of publishing.