Threat Actors Abuse Alibaba Cloud Services

Security researchers with Trend Micro have reported an observed attack on Alibaba's cloud computing services, known as Aliyun.

According to Trend Micro, hackers have been tampering with and disabling separate instances of the Chinese e-commerce giant, abusing the compromised systems for illegal crypto mining.

The custom malware used in the attack tampers with the security software responsible for keeping the Alibaba elastic computing service healthy and safe. The malware uses custom code to inject new firewall rules on the targeted system, then reconfigures the server's IP tables to completely drop packets originating from "internal Alibaba zones and regions".

In some of the examined malware samples, the cloud security software attempts to identify the malicious script being executed, but as a result of the tampering, it fails to do that and gets shut down instead. In another sample, the malware simply triggered the uninstallation of the security agent before it could even detect the bad script and send an alert.

To make matters worse, the default configuration of the Alibaba elastic cloud computing instance allows for root access. Trend Micro explains that other cloud service providers usually do not allow users to use direct SSH login in their default setup. With Alibaba's cloud, all users are able to give a password to the root access user within the virtual machine.

This essentially means that while with other cloud systems, a bad actor would need to work quite a bit harder to gain elevated privileges even if they already had the login credentials, but this is not the case with Alibaba's cloud instances.

Alibaba's cloud services also include the option for automatic scaling depending on demand. This means that a threat actor could simply push their crypto-mining malware to the limit and hog significant resources from the cloud, allocated automatically. Of course, this will also result in the accumulation of a massive bill for the legitimate user of the compromised bucket, as the overhead resources, while available, are costly past a certain threshold.

The gist of the advice provided by Trend Micro in this case is that anyone renting cloud computing services should take the time to familiarize their team with the specifics of the system used and its default implementation, then take the time to configure it in a way that is as secure as possible.