Cloud security products uninstalled by mutating malware

The malware is associated with a prolific cyber crime group and uses cryptojacking vectors against the servers

malware

Unit 42, the global cyber threat intelligence arm of Palo Alto Networks, has discovered new forms of a Linux coin mining malware originally used by the Rocke group which attacks Linux servers, aka a large portion of all servers in the world.

The malware which is believed to be related to the Xbash malware detected in September 2018, will infect a server and then mutate, downloading new code which allows it to assume administrative control and delete cloud services installed on them.

The security products weren't compromised specifically, instead, the threat actor was able to simply remove them from the server altogether in the same way a legitimate system administrator would be able to.

The samples analysed by Unit 42 targeted cloud services provided by two of China's leading cloud providers: Tencent Cloud and Alibaba Cloud (Aliyun). It's also believed by the threat intelligence team that the analysed samples are the first form of malware that can target and delete cloud services from servers.

The threat isn't just presented to hosts of Linux servers, Cloud Workload Protection Platforms (CWPP), which are essentially built-in security services into cloud products tailored to stop malware intrusions, are also under threat.

The threat is worth taking seriously, considering Tencent Cloud and Alibaba Cloud (Aliyun) both have CWPPs included with their products which means they're not doing enough to mitigate attacks, evidently with the latest one which attempted to mine Monero using Linux hardware.

The Xbash family of malware which was first discovered in Septemeber 2018 is devastating, with analysed samples infecting servers in worm-like fashion and destroying data on the server while posing as ransomware. Researchers found no evidence in the attack code that a provision was in place whereby data could be restored following the ransom's payment.

Linux is more prevalent than one might think, Microsoft Azure is now predominantly run on Linux servers - it's not just the Chinese cloud environments being hosted via Linux, it's likely that your business is running at least one cloud service on a Linux server too.

Featured Resources

How to scale your organisation in the cloud

How to overcome common scaling challenges and choose the right scalable cloud service

Download now

The people factor: A critical ingredient for intelligent communications

How to improve communication within your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Recommended

IT security awareness and training firm KnowBe4 acquires MediaPRO
Acquisition

IT security awareness and training firm KnowBe4 acquires MediaPRO

3 Mar 2021
High-risk email security threats increased by 32% last year
phishing

High-risk email security threats increased by 32% last year

3 Mar 2021
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

3 Mar 2021
Microsoft Exchange targeted by China-linked hackers
zero-day exploit

Microsoft Exchange targeted by China-linked hackers

3 Mar 2021

Most Popular

How to build a CMS with React and Google Sheets
content management system (CMS)

How to build a CMS with React and Google Sheets

24 Feb 2021
Microsoft Exchange targeted by China-linked hackers
zero-day exploit

Microsoft Exchange targeted by China-linked hackers

3 Mar 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

26 Feb 2021