Rocke, a Chinese hacking group that has previously targeted public cloud infrastructure, developed the new coin miner. Cisco’s Talos threat research unit first wrote about Rocke in August 2018, and detailed the group’s myriad cryptomining malware toolkit.
Unit 42 researchers say this is the first time they’ve seen malware that can target and remove cloud security software. The new code can uninstall several different agent-based products by Tencent Cloud and Alibaba Cloud, the top two cloud providers in China. The products include Alibaba Threat Detection Service, Alibaba CloudMonitor, Alibaba Cloud Assistant, Tencent Host Security, and Tencent Cloud Monitor.
The malware doesn’t exploit a vulnerability in the cloud security software. Instead, the attacks gain full administrative control over the compromised Linux servers and then use that control to uninstall the software as if they were a legitimate administrator.
Unit 42 initially found the malware late last year and has since been working with Tencent Cloud and Alibaba Cloud to fix the problem. “We didn’t detect the malware on any servers,” said Ryan Olson, VP of threat intelligence at Unit 42. But, he added, the Rocke group successfully exploited honeypots in the past — these are security traps used to detect unauthorized use of IT systems. “So we believe they were probably successful [using the new malware] but we haven’t seen evidence of it.”
Both Tencent and Alibaba corrected the level of privilege in their cloud products, Olson said. “They were both very responsible. They don’t want people mining cryptocurrency in their user’s hosts, either.”
The discovery shows that agent-based cloud security products may not prevent malware targeting public cloud infrastructure, the researchers say. And it reinforces the importance of shared responsibility when it comes to cloud security.
“When people deploy things in a cloud service, their perspective is: ‘I don’t have to do anything from a security perspective because it’s not my infrastructure,’” Olson said. “But attacks like this one where we are seeing the malware author build in components that are specifically targeting those cloud security products should be a wake-up call.”