Malicious groups disable features in Alibaba Cloud ECS instances for Monero cryptojacking, according to Trend Micro researchers.
Cybercriminals are targeting Alibaba Elastic Computing Service (ECS) instances, disabling certain security features to further their cryptomining goals. Alibaba offers a few unique options that make it a highly attractive target for attackers, researchers noted.
According to research from Trend Micro, the Chinese giant’s cloud (also known as Aliyun) has a preinstalled security agent. While disabling security isn’t a new tactic, in this case the attackers are using a small piece of specific code in the cryptomining malware to create new firewall rules, instructing security filters to drop incoming packets from IP ranges belonging to internal Alibaba zones and regions.
Typically, when cryptojacking malware is installed in an Alibaba ECS bucket, the security agent will send the user a notification that a malicious script is running. In this case, despite detection, “the security agent fails to clean the running compromise and gets disabled,” according to Trend Micro’s analysis, posted Monday. “Looking at another malware sample shows that the security agent was also uninstalled before