Trend Micro reported Monday that multiple hacking groups are targeting Alibaba Cloud servers to install cryptocurrency mining—"cryptojacking"—malware.
The company said it discovered malware created specifically for Alibaba Elastic Compute Service (ECS) instances that are supposed to provide "fast memory and the latest Intel CPUs to help you to power your cloud applications and achieve faster results with low latency." Or, in this case, to mine cryptocurrency. (Primarily Monero.)
This malware reportedly uninstalled the security agent built into ECS and then created firewall rules that dropped "incoming packets from IP ranges belonging to internal Alibaba zones and regions." The service's default configuration provides root access to the instance, too, and it seems like some users didn't address that flaw.
Trend Micro explained:
"In this situation, the threat actor has the highest possible privilege upon compromise, including vulnerability exploitation, any misconfiguration issue, weak credentials or data leakage. Thus, advanced payloads such as kernel module rootkits and achieving persistence via running system services can be deployed. Given this feature, it comes as no surprise that multiple threat actors target Alibaba Cloud ECS simply by inserting a code snippet for removing software found only in Alibaba ECS."
Trend Micro said that cryptojackers would also target Alibaba because ECS automatically scales based on the amount of resources a given customer uses. Mining cryptocurrency would lead to the ECS customer using more compute power, which means they'd end up paying more because they were compromised.
Alibaba isn't the only cloud service provider (CSP) being targeted by hackers—Trend Micro said it "found these samples sharing common traits, functions, and functionalities with other campaigns that also target CSPs in Asia such as Huawei Cloud." It seems even cryptojackers are moving their infrastructure to the cloud.
"We have reached out to the Alibaba Cloud Team through their listed contact information prior to the publication of this blog," Trend Micro said, "and we are waiting for their response with regard to this concern." So far it seems there hasn't been one. Alibaba customers can learn more via Trend Micro's report.