Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cloud Server. Show all posts

Chinese Cloud Hosting Providers Targeted by Abcbot

 

Cybersecurity researchers have discovered a new malware botnet that has been exclusively targeting the architecture of Chinese cloud hosting companies in recent months. The botnet, dubbed Abcbot, has attacked servers hosted by Alibaba Cloud, Baidu, Tencent, and Huawei Cloud. Cado Security noted in a research today, confirming Trend Micro and Qihoo 360 Netlab results. 

“My theory is that the newer CSPs such as Huawei Cloud, Tencent, and Baidu are not as mature as something like AWS, which includes automatic alerting when a cloud instance is deployed in an insecure fashion,” Matt Muir of Cado Security told The Record in an email this week. 

“Alibaba Cloud certainly has been around longer so its security services are more mature, but it is noteworthy that after Trend Micro [initially] saw malware targeting Huawei Cloud, the new samples we analyzed are targeting additional Chinese cloud providers,” Muir added. 

The attacks of Abcbot attempt to control Linux servers managed by such organizations that have weak passwords or are operating unpatched programs. 

When an initial entry point is discovered, Abcbot installs a Linux bash script that deactivates SELinux security safeguards, establishes a backdoor for the attacker, and then checks affected hosts for evidence of many other malware botnets. 

If rival malware is discovered, Abcbot terminates activities found to be correlated with some other botnets as well as procedures associated with crypto-mining operations. It then goes a step not seen in other botnets by deleting SSH keys and only keeping its own in place to ensure that only its own may join. 

According to Muir, this conduct shows that some other parties are employing a similar strategy, wherein the Abcbot programmers have also detected and opted to prohibit. 

According to Muir, Cado researchers analyzed Abcbot variants that solely featured capability to corral compromised systems as part of Abcbot's botnet. 

Earlier Trend Micro versions, on the other hand, had crypto-currency mining modules, and Netlab samples contained DDoS attack elements. Considering the measures Abcbot took to terminate crypto-mining processes it did not create, it is possible that its ultimate goal is to produce bitcoin income for the attackers. Cado and other investigators are still unaware of the magnitude of the Abcbot botnet. 

“Given that the malware targets specific CSPs, this suggests that propagation is fairly limited,” Muir said. 

“The method of propagation (via enumeration of known_hosts) could mean that it has spread beyond the boundaries of the CSPs it was originally meant to target,” the Cado Security researcher added.

Alibaba Cloud Servers Hacked, Trend Micro Reports

 

Trend Micro announced on Monday that numerous hacking groups have been targeting Alibaba Cloud servers to install cryptocurrency mining malware known as "cryptojacking". 

One of the challenges with Alibaba ECS, as per Trend Micro, is the absence of distinct privilege tiers configured on an instance, including all instances providing root privileges by default. This allows malicious actors who obtain access to login credentials to connect to the targeted system via SSH as root without performing any preparatory (escalation of privilege) work. 

Alibaba is a Chinese technology behemoth with an international market presence, with cloud services mainly used throughout Southeast Asia. 

The ECS service, in specific, is advertised as having fast memory, Intel CPUs, and favorable low-latency operations. Perhaps better, ECS comes with a security agent pre-installed to safeguard against malware such as crypto miners. 

"The threat actor has the highest possible privilege upon compromise, including vulnerability exploitation, any misconfiguration issue, weak credentials, or data leakage," explains Trend Micro's report. 

Moreover, the cyber attackers can use these administrative privileges to generate firewall rules that drop incoming packets from IP ranges about internal Alibaba servers, preventing the installed security agent from sensing suspicious behavior. 

Owing to the ease with which kernel module rootkits and cryptojacking malware can be planted considering the elevated privileges, it is not surprising that numerous threat actors compete to take over Alibaba Cloud ECS instances. 

Trend Micro has also noticed scripts that search for processes running on specific ports frequently used by malware and backdoors and terminate the associated processes to eliminate competing malware. An auto-scaling system, which allows the service to automatically adjust computing resources depending on the volume of user queries, is yet another ECS feature used by the threat actors. 

This is to prevent future service disruptions and niggles caused by unexpected traffic loads, but it also provides an opportunity for cryptojackers. Abusing this while it is involved on the targeted account allows the actors to increase their Monero mining power while incurring extra costs to the instance owner.