Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Hijacked. Show all posts

Alibaba Cloud Servers Hacked, Trend Micro Reports

 

Trend Micro announced on Monday that numerous hacking groups have been targeting Alibaba Cloud servers to install cryptocurrency mining malware known as "cryptojacking". 

One of the challenges with Alibaba ECS, as per Trend Micro, is the absence of distinct privilege tiers configured on an instance, including all instances providing root privileges by default. This allows malicious actors who obtain access to login credentials to connect to the targeted system via SSH as root without performing any preparatory (escalation of privilege) work. 

Alibaba is a Chinese technology behemoth with an international market presence, with cloud services mainly used throughout Southeast Asia. 

The ECS service, in specific, is advertised as having fast memory, Intel CPUs, and favorable low-latency operations. Perhaps better, ECS comes with a security agent pre-installed to safeguard against malware such as crypto miners. 

"The threat actor has the highest possible privilege upon compromise, including vulnerability exploitation, any misconfiguration issue, weak credentials, or data leakage," explains Trend Micro's report. 

Moreover, the cyber attackers can use these administrative privileges to generate firewall rules that drop incoming packets from IP ranges about internal Alibaba servers, preventing the installed security agent from sensing suspicious behavior. 

Owing to the ease with which kernel module rootkits and cryptojacking malware can be planted considering the elevated privileges, it is not surprising that numerous threat actors compete to take over Alibaba Cloud ECS instances. 

Trend Micro has also noticed scripts that search for processes running on specific ports frequently used by malware and backdoors and terminate the associated processes to eliminate competing malware. An auto-scaling system, which allows the service to automatically adjust computing resources depending on the volume of user queries, is yet another ECS feature used by the threat actors. 

This is to prevent future service disruptions and niggles caused by unexpected traffic loads, but it also provides an opportunity for cryptojackers. Abusing this while it is involved on the targeted account allows the actors to increase their Monero mining power while incurring extra costs to the instance owner.

CopperStealer Malware Steals Social Media Credentials

 

Researchers discovered a certain malware that was so far unidentified which silently hijacked Facebook, Apple, Amazon, Google, and other web giants' online accounts and then used them for nefarious activities. 

Cybercriminals have launched a new campaign to rob Facebook login credentials from Chrome, Edge, Yandex, Opera, and Firefox using malware 'CopperStealer.' 

The threat actors have used unauthorized access to Facebook and Instagram business accounts to run nefarious commercials and provide further malware in subsequent malware advertising campaigns as per the blog post published by the researchers at cyber safety company Proofpoint. In late January, researchers were first notified of the malware sample. The first samples found dated back from July 2019. 

Furthermore, CopperStealer versions targeting other major service providers such as Apple, Amazon, Bing, Google, PayPal, Tumblr, and Twitter have been discovered in the proven analytic evaluation. The malware aims to steal login credentials for some of the most famous internet services from large technological platforms and service providers. 

Researchers suspect that CopperStealer is a family that has originally been undocumented in the same malware class as SilentFade and StressPaint. Facebook attributed the invention of SilentFade to ILikeAD Media International Ltd, a Hong Kong-based company, and reported over $4 million in damages during the 2020 virus bulletin conference. 

Researchers found dubious websites, which include keygenninja[.]com, piratewares[.]com, startcrack[.]com and crackheap[.]net, that was advertised as 'KeyGen' or 'Crack' sites, which included samples from several families of malware, including CopperStealer. 

“These sites advertise themselves to offer “cracks”, “keygen” and “serials” to circumvent licensing restrictions of legitimate software. However, we observed these sites ultimately provide Potentially Unwanted Programs/Applications (PUP/PUA) or run other malicious executables capable of installing and downloading additional payloads,” said Proofpoint researchers. 

Malware also helps to find and send the saved passwords on one’s browser and uses stored cookies in order to extract a Facebook User Access Token. Once the User Access token has been collected, the malware will request multiple Facebook and Instagram API endpoints to gain additional contexts including the list of friends, any user's pay-out, and research listing the user's pages. "CopperStealer is going after big service provider logins like social media and search engine accounts to spread additional malware or other attacks," says Sherrod DeGrippo, senior director of threat research at Proofpoint. "These are commodities that can be sold or leveraged. Users should turn on two-factor authentication for their service providers."