The push to move everything into the cloud over the past several years has generated a large number of misconfigured and exposed deployments of various software stacks. This has attracted sophisticated attacks that destroy data or abuse server resources for cryptocurrency mining.
In a new report released today, security researchers from Securonix warn of an increase in the number of multi-vector and multi-platform automated attacks against cloud infrastructure over the past few months. These often combine cryptomining, ransomware and botnet malware all in one.
"In most cases, the focus of the attacks is on installing a second-stage payload for cryptomining and/or remote access," the researchers said. "In other cases, the malware propagates and infects the exposed services, removes data, and installs second-stage cryptomining and ransomware payloads."
Attackers often break in by exploiting unpatched vulnerabilities or insecure configurations in services like the Redis data structure store, the Apache Hadoop big-data processing toolset or the Apache ActiveMQ messaging middleware. They also launch brute-force password guessing attacks against a large number of services including MySQL, MongoDB, Memcached, CouchDB, PostgreSQL, Oracle Database, ElasticSearch, RDP, VNC, Telnet, RSync, RLogin, FTP, LDAP and more.
One of the most commonly used malware tools observed in attacks against cloud-hosted services is the XBash worm, which first appeared in May 2018. This malware is used to infect both Windows and Linux servers and deploys additional payloads depending on which OS is running.
XBash is typically associated with a cybercriminal group known in the security industry as Iron. However, another group called Rocke is also using an XBash variant and has recently been in the news after it started disabling cloud security and monitoring agents.
In some cases, after they gain access to a database or data store, the malware will delete it and will leave behind a ransom note. This a destructive attack that only mimics ransomware, because no backup of the data is performed and the attackers are not able to help recover it if the ransom is paid.
In other incidents, attackers also install a software tool for mining cryptocurrency, Monero being their favorite. Such attacks are known as cryptojacking because attackers hijack the server resources, potentially leading to larger bills from cloud providers. "There are many common behaviors shared by the malicious threat actors we’ve been observing, including the infection vectors mentioned above, the persistence mechanisms, and some of the actions on objectives, including cryptomining payloads," the Securonix researchers said.
Attackers change command-and-control servers frequently and store lists of them on sites like Pastebin for the malware implants to download. The servers receive information about the infected servers from the malware, like IP addresses and domain names, and provide the implant with additional malicious scripts to execute or with updated lists of usernames and passwords for brute-force attacks.
On Linux, the malware creates cronjob entries for persistence in various locations such as /etc/crontab, /etc/cron.d/root, /etc/cron.d/apache or /var/spool/cron/root, while on Windows it creates malicious start-up items.
The Securonix report includes a list of indicators of compromise, including file hashes for the various malware artifacts seen so far and IP addresses for command-and-control servers. It also includes firewall rules to help block the attacks and some behavior patterns than can be used to create detection and monitoring rules.
Defending systems against multi-vector cloud attacks
Companies should implement strong password policies for all services running in their cloud instances, whether those services are used for remote management, to store data for applications or to broker messaging clients. A centralized patch management system for cloud assets is also needed, so that known critical vulnerabilities in various software components do not remain unpatched.
Some of the services that are often attacked, such as Redis, were not designed to be accessible from the internet, so they don't have strong access controls in place by default. However, following the multitude of attacks against exposed deployments over the past few years, their developers have published security recommendations that should be followed. For example, Redis' creator Salvatore Sanfilippo has a blog post with useful information on Redis security.