Threat actors are compromising Alibaba Elastic Computing Service (ECS) machines to install cryptominer malware and benefit from the available server resources. Alibaba is a Chinese computer behemoth with a global reach, with its cloud services predominantly employed in Southeast Asia.
The ECS service, in particular, is advertised as having fast memory, Intel CPUs, and low-latency operations. Even better, ECS comes with a security agent pre-installed to guard against viruses like cryptominers. According to a study by Trend Micro, one of the difficulties with Alibaba ECS is the lack of distinct privilege levels defined on each instance, with all instances giving root access by default.
This allows threat actors who get access to login credentials to connect to the target server through SSH as root without making any further effort. According to Trend Micro’s analysis, when a threat actor is compromised, he or she has the maximum level of privilege, which includes vulnerability exploitation, misconfiguration issues, weak credentials, and data leaking.
Moreover, the threat actors can use these higher rights to implement firewall rules that block incoming packets from IP ranges belonging to internal Alibaba servers, preventing the security agent from identifying suspicious activity. The threat actors can then launch scripts on the hacked device to disable the security agent.
Trend Micro has also seen scripts that scan for processes running on certain ports widely employed by malware and backdoors and then terminated to remove competing software. An auto-scaling mechanism, which allows the service to dynamically alter computer resources according to user requests, is another ECS feature abused by the actors.
This is to assist minimize service outages and glitches caused by unexpected traffic loads, but it also presents a cryptojacking possibility. Actors can scale up their Monero mining capacity and incur additional charges to the instance owner by exploiting this while running on the targeted account.
Given that billing cycles are monthly in the best-case situation, it will take the victim some time to recognize the problem and take action. Mining will create a more immediate and apparent slow-down if auto-scaling isn’t available, as the miners exploit the available CPU power.
Alibaba has been alerted of Trend Micro’s findings, but no reaction has yet been received. If you’re leveraging Alibaba’s cloud service, make sure your security settings are up to date and that you’re following industry best practices. Additionally, avoid executing programs as root, use cryptographic keys for access, and adhere to the concept of least privilege.
Because ECS’s built-in malware protection isn’t enough in this scenario, installing a second layer of malware and vulnerability detection in the cloud environment should be part of your usual security procedure.
