Rocke cryptocurrency miner disables cloud security products

News by Rene Millman

The Rocke hacking group is disabling Alibaba and Tencent security software on cloud servers to install cryptocurrency miners on unpatched Linux servers.

Security researchers have discovered malware that can disable cloud security products.

According to a blog post published by researchers at Palo Alto Networks, the malware is in use by a hacking group known as ‘Rocke’. The hackers usually mine cryptocurrency and it is thought that the malware disables cloud protection in order to carry out mining operations in the cloud.

The researchers said that the malware adopted new code to uninstall five different cloud security protection and monitoring products from compromised Linux servers.

"In our analysis, these attacks did not compromise these security products: rather, the attacks first gained full administrative control over the hosts and then abused that full administrative control to uninstall these products in the same way a legitimate administrator would," said researchers.

The blog post stated that the products disabled by the malware were developed by two Chinese cloud computing providers that are expanding internationally: Tencent Cloud and Alibaba Cloud.

The malware exploits vulnerabilities in Apache Struts 2, Oracle WebLogic and Adobe ColdFusion. Researchers said that by exploiting Oracle WebLogic vulnerability CVE-2017-10271, it downloads a backdoor on the system and uses it to download cryptocurrency mining malware. As well as running a miner, the malware also disables any other coinminer.

Researchers said that the malware was unique in its ability to target and remove cloud security products. The malware is created to not exhibit any suspicious behaviour when first installed as it follows the uninstallation procedure provided by Alibaba Cloud and Tencent Cloud as well as some random blog posts on the Internet.

The uninstall function removes the Alibaba Threat Detection Service agent, Alibaba CloudMonitor agent (Monitor CPU & memory consumption, network connectivity), Alibaba Cloud Assistant agent (tool for automatically managing instances), Tencent Host Security agent and Tencent Cloud Monitor agent.

"After agent-based cloud security and monitor products are uninstalled, the malware used by the Rocke group begins to exhibit malicious behaviors. We believe this unique evasion behavior will be the new trend for malware which targets public cloud infrastructure," said researchers.

Researchers said that they have been cooperating with Tencent Cloud and Alibaba Cloud to address the malware evasion problem and its C2 infrastructure.

They added that public cloud infrastructure is one of the main targets for this cyber-crime group.

"Realizing the existing cloud monitor and security products may detect the possible malware intrusion, malware authors continue to create new evasion technologies to avoid being detected by cloud security product," the researchers said. They added that agent-based cloud security solution may not be enough to prevent evasive malware targeted at public cloud infrastructure.

Nicholas Griffin, senior cyber-security specialist at Performanta, told SC Media UK that cloud security tools often seem to be a box-ticking exercise for organisations to demonstrate compliance, but their effectiveness can be questionable.

"Most cloud endpoint security products have no protection against tampering or uninstallation. Conversely, mature EDR and EPP products usually invest significant efforts in tampering countermeasures. For example, password-protected uninstallation – an attacker would have to know the password to uninstall the security product. We expect native cloud security products to mature and adopt these sorts of countermeasures in the near future," he said.

Paul Ducklin, senior technologist at Sophos, told SC that the moral of the story in "this case seems to be obvious: patch early, patch often!"

"If a crook can break into your Linux server using a vulnerability that was patched back in 2017, and then promote himself to be a sysadmin and take over your system completely – including configuring your security software – then you have needlessly turned yourself into low-hanging fruit," he said.

"Worse still, vulnerabilities in internet-facing components such as your web server or content management system can usually be ‘sniffed out’ remotely and automatically, and vulnerability search engines such as Shodan and Censys can help anyone find hackable systems easily. Get the basics right first, and then worry about the details!" he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews