Cybersecurity firm Palo Alto Networks’ Unit 42 “global threat intelligence team” has identified a new exploit illegally mining Monero cryptocurrency on Chinese public cloud networks:
“Palo Alto networks recently captured and investigated new samples of the Linux coin mining malware used by the Rocke group. The family was suspected to be developed by the Iron cybercrime group and it’s also associated with the Xbash malware we reported on in September of 2018.”
According to Talos intelligence, “the threat actor Rocke” is a Chinese-speaking pervader of malware responsible for “leveraging both Western and Chinese Git repositories to deliver malware to honeypot systems…”
In its latest exploit, Rocke has been targeting public clouds operated by Alibaba and Tencent: the Tencent Cloud and the Alibaba Cloud (Aliyun).
According to Palo Alto:
“To the best of our knowledge, this is the first malware family that developed the unique capability to target and remove cloud security products. This also highlights a new challenge for products in the Cloud Workload Protection Platforms market defined by Gartner.”
The attack involves uninstalling in-cloud security so that Monero mining malware can be run using the cloud’s computing power.
Mined proceeds are then sent to the attacker(s). Alibaba and Tencent, “the two leading cloud providers in China that are expanding their business globally,” are left to pay the resulting electricity bills.
Monero is a coin favoured by purveyors of crypto-mining malware because it has the best reputation and most liquidity of the “privacy coin” cryptocurrencies.
Unlike with Bitcoin, both Monero user data and the ledger are obscured.
Numerous public systems, including Starbucks’ wifi, have been successfully hijacked to secretly mine Monero on behalf of hackers.
Clouds are effective targets because they are connected to huge pools of computing power. More computing power means more cryptomining profits.
Palo Alto says the first move of Rocke in the cloud attacks is to, “gain full administrative control over the hosts and then abuse that full administrative control to uninstall…(security) products in the same way a legitimate administrator would.”
Palo Alto Networks Unit 42 is now working with Tencent Cloud and Alibaba Cloud, “to address the malware evasion problem and its C2 infrastructure.”
The attackers have also, “continued developing more effective methods to evade detection by killing more agent-based cloud security services.”
Removal of threat defences in the cloud by Rocke has been quite comprehensive:
“This function can uninstall:
- Alibaba Threat Detection Service agent.
- Alibaba CloudMonitor agent (Monitor CPU & memory consumption, network connectivity).
- Alibaba Cloud Assistant agent (tool for automatically managing instances).
- Tencent Host Security agent.
- Tencent Cloud Monitor agent.”
Palo Alto says this type of malicious cloud-cryptomining may be the future:
“We believe this unique evasion behavior will be the new trend for malware which targets public cloud infrastructure.”
Rocke’s attacks show that development of enhanced cloud security tech is likely called for:
“The variant of the malware used by the Rocke group is an example that demonstrates that the agent-based cloud security solution may not be enough to prevent evasive malware targeted at public cloud infrastructure.”