New mining malware bypasses cloud security

Getting your Trinity Audio player ready...

Cybersecurity researcher Palo Alto Networks Unit 42 has warned of new malware that can to target and disable cloud security products in order to mine the Monero cryptocurrency on affected computers.

Samples of the malware were collected last October, and are believed to be developed by the notorious Rocke group. It was first discovered by the Cisco Talos Intelligence Group last July that Rocke was trying to access cloud storage services.

Unit 42 discovered five different cloud security products, developed by China-based Tencent Cloud and Alibaba Cloud (Aliyun), could be uninstalled from compromised servers running on Linux. “In our analysis, these attacks did not compromise these security products: rather, the attacks first gained full administrative control over the hosts and then abused that full administrative control to uninstall these products in the same way a legitimate administrator would,” the researchers Xingyu Jin and Claud Xiao explained.

“To the best of our knowledge, this is the first malware family that developed the unique capability to target and remove cloud security products,” they added.

According to Unit 42, Rocke is able to exploit vulnerabilities in Apache Struts 2, Oracle WebLogic, and Adobe ColdFusion. In order to evade detection from the Cloud Workload Protection Platforms developed individually by cloud service providers, it isn’t enough for the malware to kill the monitor service process, but to uninstall them altogether, as Rocke has managed to do.

“We believe this unique evasion behavior will be the new trend for malware which targets public cloud infrastructure,” the researchers warned.

Already, Unit 42 is coordinating with Tencent Cloud and Alibaba Cloud to solve the issue.

Cybersecurity solutions provider Check Point Software Technologies Ltd. recently released its report on the top malware threats globally, in which the top three were all for the mining of cryptocurrencies. Coinhive has been the malware with the largest global reach for 13 months straight.

McAfee Labs has reported that the mining malware has increased by over 4,000% in just a year’s time, as of end-September 2018.