Malware that Mines Cryptocurrencies Removes Cloud Security Programs

Uninstalling cloud security software is a previously unseen function of new cryptomining malware strains. Researchers claim to have found a special malware family that may take control of target PCs by uninstalling cloud security software. The destructive activity has been linked to instances of coin-mining malware that targets Linux servers. The malware samples discovered by Palo Alto Networks’ Unit 42, which released the research on Thursday, did not breach, circumvent, or target the security and monitoring products in issue; instead, they simply uninstalled them from compromised Linux systems. The Unit 42 researchers Xingyu Jin and Claud Xiao concluded in a technical write-up that these attacks “did not compromise these security products; rather, the attacks first gained full administrative control over the hosts and then abused that full administrative control to uninstall these products in the same way a legitimate administrator would.”

The malware copies specifically attempted to delete software created by Tencent Cloud and Alibaba Cloud (Aliyun), two major Chinese cloud providers that are growing their operations internationally, according to researchers. These security suites provide with essential features including machine learning-based trojan identification and eradication, activity audit recording, and vulnerability management. According to Ryan Olson, vice president of threat intelligence for Unit 42, “Palo Alto Networks Unit 42 has collaborated with Tencent Cloud and Alibaba Cloud to address the malware evasion problem and its C2 infrastructure.” According to our understanding, this malware family is the first to have evolved the special capacity to target and delete cloud security products.

Attack Method

The Rocke threat organisation is aggressively utilising the new virus. Rocke was identified as a threat actor using a wide range of Git repositories to infect susceptible systems with Monero-based cryptomining malware when Cisco Talos first identified him in July 2018. According to a Unit 42 researcher, the Rocke organisation uses flaws in Adobe ColdFusion, Oracle WebLogic, and Apache Struts 2 to spread malware to victim computers. After downloading, the virus connects to a command and control server and downloads the “a7” shell script to the machine. By downloading and launching a coin miner, killing off other cryptomining processes currently operating on the system, and using the free programme “libprocesshider,” this shell script starts to carry out a variety of harmful operations. At this point, the most recent malware samples demonstrate a feature that employs a never-before-seen trick: they can remove cloud workload protection platforms, which are the agent-based security protection solutions for public cloud infrastructure. This contains the agents for Alibaba Cloud Assistant, Alibaba Cloud Monitor, and Alibaba Threat Detection Service, as well as the agents for Tencent Host Security and Tencent Cloud Monitor. Users may find documentation on the official websites of Tencent Cloud and Alibaba Cloud that explain how to uninstall their cloud security products. According to analysts, it appears that the new malware variants employed by Rocke Group adhere to these official uninstallation instructions. Threatpost’s request for comments received no responses from Tencent Cloud or Alibaba Cloud.

Threat Origins

Regarding the malware itself, Unit 42 researchers had a suspicion that the family was created by the Iron cybercrime organisation (the malware from Iron and Rocke has a similar payload and targets similar infrastructure, according to Talos researchers). The malware is also linked to the highly advanced family of Xbash malware, which Unit 42 researchers first revealed in the open in September and which wreaks havoc on Windows and Linux systems by combining data-destructive ransomware and nefarious cryptomining. But when it comes to attacking public cloud infrastructure, this sample goes a step further because it can remove security measures from computers. Researchers wrote in their analysis that the malware variant deployed by Rocke Group serves as an illustration of how an agent-based cloud security solution would not be sufficient to stop evasive malware that targets public cloud infrastructure. We think that malware that targets public cloud infrastructure will increasingly exhibit this particular evasive behaviour.

A hostile actor who has access can see and change administrative configuration settings after that, the company added.

Along with fixing CVE-2021-21982, VMware also fixed two other issues in its vRealize Operations Manager product that a hacker with network access to the API could use to launch SSRF attacks (Server Side Request Forgery) and steal administrative credentials (CVE-2021-21975) and write files to arbitrary locations on the underlying photon operating system (CVE-2021-21983).

Workload balancing, troubleshooting, and compliance management are among the aspects that the product is primarily made to support while also being monitored and optimised for the performance of the virtual infrastructure. It has been acknowledged that Egor Dimitrenko, a security researcher at Positive Technologies, first reported al The second vulnerability—CVE-2021-21983 (an arbitrary file write weakness, scored 7.2), which allows any command to be executed on the server—can be exploited by attackers with administrator privileges, Dimitrenko stated. It is considerably riskier because of the combination of two security issues because it enables an unauthorised attacker to take control of the server and move laterally through the architecture. Versions of vRealize Operations Manager 7.0.0, 7.5.0, 8.0.1, 8.1.1, 8.2.0, and 8.3.0 have patches from VMware. In situations where the fix cannot be installed or is not available, the company has also released workarounds to reduce the risks related to the issues.

Microsoft 365 security – Home

When it comes to email security, collaboration, identity security, device security, and SaaS app security, Microsoft 365 Defender is an XDR (extended detection and response) software that offers protection, detection, and reaction. In order to provide integrated defence against complex assaults, Microsoft 365 Defender is a unified pre- and post-breach corporate defence package that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications. Security experts can establish the complete breadth and impact of the threat, including how it entered the environment, what it affected, and how it is now affecting the enterprise, using the integrated Microsoft 365 Defender solution. Microsoft 365 Defender automatically intervenes to stop the attack and self-heals the compromised user IDs, mailboxes, and endpoints. The Microsoft 365 Defender’s functional components, such as email security, endpoint security, etc., can be purchased individually or in bundles like E5 security or E5. For example, Microsoft Defender for Office 365 is available for solo purchase to safeguard email.

Categories :

Cloud Security

Recent Post