Reports from Trend Micro show that threat actors exploit vulnerabilities in Alibaba ECS instances to install Cryptominers malware.
This is possible because all instances provide root access, allowing threat actors to gain access to the target server without any prior SSH root work.
Once compromised, the enhanced privileges allow the threat actors to access files and also create firewall rules that prevent the installed security agent from detecting any compromises or suspicious behavior.
Threat actors also used the ECS’ auto-scaling system (enables the service to automatically adjust computing resources based on the volume of user requests).
Once compromised, the threat actor can scale up their Monero mining power, causing additional costs for the instance owner. Anyone using Alibaba’s cloud service is advised to make sure their security settings are correct and follow best practices.
For more information, read the original story in Reuters.