Recently, malicious threat actors were observed infiltrating Alibaba Elastic Compute Service (ESC) instances to install crypto-miner malware and to also gather server resources for their benefit. Alibaba’s Elastic Computing Service is endorsed as a fast memory, Intel CPUs, and low-latency operations. The ECS’s purpose is to protect against malware like crypto miners by having a built-in security agent.
According to a report released by a cybersecurity firm, one of the problems with Alibaba ESC is the absence of multiple privilege levels built on an instance, with all the cases giving root access automatically. The absence of multiple privileges enables malicious threat actors who acquired access to login credentials to infiltrate the target server through SSH as root without any preparatory work.
Moreover, these elevated privileges enable the hacker to develop firewall rules that deploy incoming packets from IP ranges owned by the internal Alibaba servers to prevent the installed security agent from detecting any hostile act. After developing a firewall rule, the threat actors can then operate scripts that halt the security agent installed on the infected device.
The cybersecurity firm has also seen scripts looking for running processes on specific ports usually used by backdoors and malware and eliminating the associated methods to disconnect competing malware. Another Alibaba ESC features exploited by the hacker is an auto-scaling system that allows the service to instantly adjust computing resources based on user requests. This method is to avoid service interruptions and obstacles from unforeseen traffic burdens. However, the exploitation is also an opportunity for crypto miners to perform cybercrimes.
Alibaba ESC is another case of cloud service targeted by crypto hijackers like the recent campaigns that affected Huawei Cloud and Docker.
Researchers suggest that Alibaba’s cloud service users should ensure that their security settings are always online and follow the best procedure for safekeeping accounts. They also advised to stay away from running applications under root privilege but instead use a cryptographic key for access. For Alibaba ESC, its already installed malware protection service will not suffice, so it is advised to put another layer of security detection against malware and vulnerabilities. Researchers recommend everyone that the use of a cloud environment should not be taken for granted.
