IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Cloud security products uninstalled by mutating malware

The malware is associated with a prolific cyber crime group and uses cryptojacking vectors against the servers

Skull mixed within computer code

Unit 42, the global cyber threat intelligence arm of Palo Alto Networks, has discovered new forms of a Linux coin mining malware originally used by the Rocke group which attacks Linux servers, aka a large portion of all servers in the world.

The malware which is believed to be related to the Xbash malware detected in September 2018, will infect a server and then mutate, downloading new code which allows it to assume administrative control and delete cloud services installed on them.

The security products weren't compromised specifically, instead, the threat actor was able to simply remove them from the server altogether in the same way a legitimate system administrator would be able to.

The samples analysed by Unit 42 targeted cloud services provided by two of China's leading cloud providers: Tencent Cloud and Alibaba Cloud (Aliyun). It's also believed by the threat intelligence team that the analysed samples are the first form of malware that can target and delete cloud services from servers.

The threat isn't just presented to hosts of Linux servers, Cloud Workload Protection Platforms (CWPP), which are essentially built-in security services into cloud products tailored to stop malware intrusions, are also under threat.

The threat is worth taking seriously, considering Tencent Cloud and Alibaba Cloud (Aliyun) both have CWPPs included with their products which means they're not doing enough to mitigate attacks, evidently with the latest one which attempted to mine Monero using Linux hardware.

The Xbash family of malware which was first discovered in Septemeber 2018 is devastating, with analysed samples infecting servers in worm-like fashion and destroying data on the server while posing as ransomware. Researchers found no evidence in the attack code that a provision was in place whereby data could be restored following the ransom's payment.

Linux is more prevalent than one might think, Microsoft Azure is now predominantly run on Linux servers - it's not just the Chinese cloud environments being hosted via Linux, it's likely that your business is running at least one cloud service on a Linux server too.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Most Popular

Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Macmillan Publishers hit by apparent cyber attack as systems are forced offline
Security

Macmillan Publishers hit by apparent cyber attack as systems are forced offline

30 Jun 2022
FCC commissioner urges Apple and Google to remove TikTok from app stores
data protection

FCC commissioner urges Apple and Google to remove TikTok from app stores

29 Jun 2022