Palo Alto Networks has tons of Security Researchers and its Unit 43 has found a new cryptomining software that can impact your network by uninstalling cloud security software.
Cloud networks are growing and so are the hacking groups targeting them. Rocke, which is a Chinese hacking group has targeted public cloud infrastructure and developed the new coin miner. Cisco’s Talos threat research unit has written about them in August 2017 detailing the group’s various cryptomining malware toolkit.
As per Unit 42 researchers, they say that this is the first time they have encountered a malware that can target and remove cloud security software. This is very alarming since you would expect it is designed to protect your system. The newly discovered code can uninstall several agent-based products namely made by Tencent Cloud and Alibaba Cloud. They are the top two cloud providers in China. Their products include Alibaba CloudMonitor, Alibaba Cloud Assistant, Tencent Host Security and Tencent Cloud Monitor.
What is fascinating about this malware is that it does not exploit any vulnerability in the cloud software itself. However, their targeted attack gains full administrative access over the compromised Linux servers. With that level of control, the compromised Linux server can uninstall the software as if they were a legitimate administrator of the system.
The malware was initially found late last year by Unit 42 and has been closely working with Tencent Cloud and Alibaba Cloud to fix the issue.
“We didn’t detect the malware on any servers,” said Ryan Olson, VP of threat intelligence at Unit 42. But, he added, the Rocke group successfully exploited honeypots in the past — these are security traps used to detect unauthorized use of IT systems. “So we believe they were probably successful [using the new malware] but we haven’t seen evidence of it.”
Upon learning of this threat, Tencent and Alibaba has made appropriate changes to the level of privilege in their cloud products.
Its discovery shows that agent-based cloud security products may not be able to stop malware targeting public malware infrastructures. This clearly reminds us that there is a shared responsibility when it comes to cloud security. Both from the hosting and the actual subscribers maintaining their own systems.
People who use cloud services, they regularly think that they do not have to do anything because it is not their infrastructure. But having this mentality has its own pitfall. Attacks like this one crosses the line where both are not looking at. It surely is a wake up call to re-evaluate how people protect things they deploy in the cloud because security products designed for the cloud are being targeted.