According to Trend Micro researchers, threat groups have been disabling features in Alibaba Cloud ECS to plant malware and perform crypto mining or jacking. Cybercriminals are allegedly targeting Alibaba Elastic Computing Search instances and disabling certain security features that prevent them from achieving their goals when it comes to cryptomining. Alibaba has a few unique options that make it an attractive target for attackers, according to Trend Micro. Although disabling security is not a new tactic, attackers have been seen using a small piece of specific code in the crypto mining malware to create new firewall rules. Therefore, security filters are instructed to drop incoming packets from IP ranges belonging to internal zones and regions.
Alibaba contains a pre-installed security agent that is disabled by the threat actors. Typically, in a cryptojacking situation, malware is installed in an ECS bucket and the security agent will send the user a notification that a malicious script is running. However, despite detection, in this case, the security agent fails to clean the running compromise and is instead disabled. Once the attackers are able to make it past the security feature, the malware installs the XMRig cryptominer, which mines for Monero. Trend Micro stated that users should create a less privileged user for running applications and services within each Alibaba ECS instance to prevent malicious attacks and threat actors attempting to steal cloud resources.
Read More: Cybercriminals Target Alibaba Cloud for Cryptomining, Malware