Hackers have recently targeted and hacked the Alibaba Elastic Computing Service (ECS) instances. All this is being done with the motive to install crypto-miner malware so that the threat actors can secure the available server resources for their own personal benefit.
The hacker “AgainstTheWest” on the RaidForums forum had proclaimed that they have hacked into Alibaba Cloud’s servers, and they have also stolen a large amount of source code.
After investigating the attack, the experts opined that the stolen source code was hacked, and later the hackers have sold it at a price of $5,000, and the payment was done in Bitcoin or Monero.
ECS security agent removed to install miners
Alibaba ECS servers are being hacked and are also targeted by many threat actors because they lack different privilege levels configured on an occurrence.
However, the instances that are available in the servers offer root access by default, and thus it becomes easier for the threat actors to gain access to login credentials so that they can access the target server through SSH.
Moreover, these lacks also allow the threat actors to create firewall rules that generally filter the incoming packets from IP ranges that belong to internal Alibaba servers, and doing this helps the threat actors to stop the detection by the security agent.
Alibaba Cloud Security provides a guide on how to stop the ongoing infection and malicious activities, as it is the responsibility of the user to prevent this infection from occurring.
One of the important points to note is that Alibaba ECS has an auto-scaling feature, and in this feature users and organizations can allow the service to automatically regulate the computing resources that are based on the volume of user requests.
Mitigating the impact
Here are few recommendations offered:-
- Both CSPs and users have a duty to assure that all the security configurations of workloads, projects, and environments should stay safe.
- Customize the security characteristics of cloud projects and workloads.
- Try to avoid running applications under root privilege and managing passwords for SSH.
- Always follow the principle of least privilege.
This type of crypto hijacking is quite dangerous, and that’s why the experts affirmed that it is quite necessary for the users to stay altered and keep a check on their workloads.