Security experts have issued a warning about threat actors exploiting Alibaba Cloud (Aliyun) infrastructure to deploy cryptocurrency mining malware. This Chinese tech giant is a popular choice for infrastructure-as-a-service (IaaS) in South-East Asia, making it a prime target for financially motivated hackers, according to cybersecurity software company Trend Micro.
The report highlights that hackers are targeting several features of Alibaba’s Elastic Computing Service (ECS) instances to increase their chances of success. Despite the platform coming with a security agent, some actors are able to uninstall or disable it upon compromise. Even if the security agent is active and identifies a malicious script, it ultimately falls on the customer to take action. It’s crucial for customers to configure the product properly as the default Alibaba ECS instance provides root access.
“With the highest possible privilege upon compromise, threat actors can exploit vulnerabilities, misconfigurations, weak credentials, or data leakage. This allows for advanced payloads such as kernel module rootkits and achieving persistence through running system services,” explained the researchers at Trend Micro.
Due to the auto-scaling feature of Alibaba ECS, which automatically adjusts computing resources based on user request volume, there is a risk of incurring additional charges if exploited by cryptomining malware. Trend Micro also noted the popularity of Alibaba Cloud and other regional players like Huawei Cloud among threat actors, with attackers even removing rivals from compromised infrastructure.
To mitigate these risks, the security vendor recommends customers to enhance cloud security protection with third-party malware-scanning and vulnerability detection tools, follow the principle of least privilege, and customize security features for cloud projects and workloads.
Despite reaching out to Alibaba for a response to their findings, Trend Micro had not received a reply at the time of publishing. It’s essential for Alibaba Cloud users to remain vigilant and take proactive measures to protect their infrastructure from malicious actors.