New Microsoft emergency updates fix Windows Server auth issues
7 million Robinhood user email addresses for sale on hacker forum
FBI system hacked to email ‘urgent’ warning about fake cyberattacks
High severity BIOS flaws affect numerous Intel processors
New Rowhammer technique bypasses existing DDR4 memory defenses
Emotet malware is back and rebuilding its botnet via TrickBot
Alibaba ECS instances actively hijacked by cryptomining malware
High severity BIOS flaws affect numerous Intel processors
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
Monero miner
​Threat actors are hijacking Alibaba Elastic Computing Service (ECS) instances to install cryptominer malware and harness the available server resources for their own profit.
Alibaba is a Chinese technology giant with a global market presence, with its cloud services being used primarily in southeast Asia.
In particular, the ECS service is marketed as offering fast memory, Intel CPUs, and promising low-latency operations. Even better, to protect against malware such as cryptominers, ECS comes with a pre-installed security agent.
According to a report by Trend Micro, one of the issues with Alibaba ECS is the lack of different privilege levels configured on an instance, with all instances offering root access by default.
This makes it possible for threats actors who gain access to login credentials to access the target server via SSH as root without any preparatory (escalation of privilege) work.
“The threat actor has the highest possible privilege upon compromise, including vulnerability exploitation, any misconfiguration issue, weak credentials or data leakage,” explains Trend Micro’s report.
Furthermore, these elevated privileges allow the threat actors to create firewall rules that drop incoming packets from IP ranges belonging to internal Alibaba servers to prevent the installed security agent from detecting suspicious behavior.
The threat actors can then run scripts that stop the security agent on the compromised device.
Given how easy it is to plant kernel module rootkits and cryptojacking malware due to the elevated privileges, it is no surprise that multiple threat actors compete to take over Alibaba Cloud ECS instances.
Trend Micro has also observed scripts looking for processes running on specific ports commonly used by malware and backdoors and terminating the associated processes to remove competing malware.
Another ECS feature exploited by the actors is an auto-scaling system that enables the service to automatically adjust computing resources based on the volume of user requests.
This is to help prevent service interruptions and hiccups from sudden traffic burdens, but it’s an opportunity for cryptojackers.
By abusing this when it’s active on the targeted account, the actors can scale up their Monero mining power and incur additional costs to the instance owner.
Considering that the billing cycles are monthly in the best-case scenario, it would take the victim some time to realize the problem and take action.
When auto-scaling isn’t available, mining will cause a more immediate and noticeable slow-down effect as the miners utilize the available CPU power.
Alibaba ECS is yet another case of a cloud service targeted by cryptominers, with other notable recent campaigns targeting Docker and Huawei Cloud.
Trend Micro has notified Alibaba of its findings but hasn’t received a response yet.
If you are using Alibaba’s cloud service, ensure that your security settings are correct and follow best practices.
Moreover, avoid running apps under root privilege, use cryptographic keys for access, and follow the principle of least privilege.
In the case of ECS, its built-in malware protection isn’t enough, so adding a second layer of detection for malware and vulnerabilities on the cloud environment should be part of your standard security practice.
Huawei Cloud targeted by updated cryptomining malware
TeamTNT hackers target your poorly configured Docker servers
Popular NPM library hijacked to install password-stealers, miners
MyKings botnet still active and making massive amounts of money
The Week in Ransomware – November 12th 2021 – Targeting REvil
Not a member yet? Register Now
New Microsoft emergency updates fix Windows Server auth issues
High severity BIOS flaws affect numerous Intel processors
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


You May Also Like

Hundreds of thousands of MikroTik devices still vulnerable to botnets

SonicWall ‘strongly urges’ customers to patch critical SMA 100 bugsWindows ‘InstallerFileTakeOver’ zero-day…

McMenamins breweries hit by a Conti ransomware attack

Microsoft December 2021 Patch Tuesday fixes 6 zero-days, 67 flawsNew ransomware now…

Microsoft adds AI-driven ransomware protection to Defender

Windows 10 21H2 is released, here are the new featuresNew Rowhammer technique…

BotenaGo botnet targets millions of IoT devices with 33 exploits

HPE says hackers breached Aruba Central using stolen access keyFBI warns of…