Cloud security products uninstalled by mutating malware

The malware is associated with a prolific cyber crime group and uses cryptojacking vectors against the servers

Skull mixed within computer code

Unit 42, the global cyber threat intelligence arm of Palo Alto Networks, has discovered new forms of a Linux coin mining malware originally used by the Rocke group which attacks Linux servers, aka a large portion of all servers in the world.

The malware which is believed to be related to the Xbash malware detected in September 2018, will infect a server and then mutate, downloading new code which allows it to assume administrative control and delete cloud services installed on them.

The security products weren't compromised specifically, instead, the threat actor was able to simply remove them from the server altogether in the same way a legitimate system administrator would be able to.

The samples analysed by Unit 42 targeted cloud services provided by two of China's leading cloud providers: Tencent Cloud and Alibaba Cloud (Aliyun). It's also believed by the threat intelligence team that the analysed samples are the first form of malware that can target and delete cloud services from servers.

The threat isn't just presented to hosts of Linux servers, Cloud Workload Protection Platforms (CWPP), which are essentially built-in security services into cloud products tailored to stop malware intrusions, are also under threat.

The threat is worth taking seriously, considering Tencent Cloud and Alibaba Cloud (Aliyun) both have CWPPs included with their products which means they're not doing enough to mitigate attacks, evidently with the latest one which attempted to mine Monero using Linux hardware.

The Xbash family of malware which was first discovered in Septemeber 2018 is devastating, with analysed samples infecting servers in worm-like fashion and destroying data on the server while posing as ransomware. Researchers found no evidence in the attack code that a provision was in place whereby data could be restored following the ransom's payment.

Linux is more prevalent than one might think, Microsoft Azure is now predominantly run on Linux servers - it's not just the Chinese cloud environments being hosted via Linux, it's likely that your business is running at least one cloud service on a Linux server too.

Featured Resources

How to choose an AI vendor

Five key things to look for in an AI vendor

Download now

The UK 2020 Databerg report

Cloud adoption trends in the UK and recommendations for cloud migration

Download now

2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world

Download now

The impact of AWS in the UK

How AWS is powering Britain's fastest-growing companies

Download now

Recommended

Ransomware criminals look to other hackers to provide them with network access
ransomware

Ransomware criminals look to other hackers to provide them with network access

17 Jun 2021
CVS Health data breach leaves a billion records exposed
data protection

CVS Health data breach leaves a billion records exposed

16 Jun 2021
Four in five ransomware victims suffer repeat attacks
ransomware

Four in five ransomware victims suffer repeat attacks

16 Jun 2021
Putin open to handing cyber criminals over to US
hacking

Putin open to handing cyber criminals over to US

14 Jun 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

16 Jun 2021
Ten-year-old iOS 4 recreated as an iPhone app
iOS

Ten-year-old iOS 4 recreated as an iPhone app

10 Jun 2021
What is HTTP error 400 and how do you fix it?
Network & Internet

What is HTTP error 400 and how do you fix it?

16 Jun 2021