New Malware Uninstalls Cloud Security Products, Unit 42 Researchers Say

Security researchers at Palo Alto Networks’ Unit 42 found new cryptomining malware that can uninstall cloud security software.Rocke, a Chinese hacking group that has previously targeted public cloud infrastructure, developed the new coin miner. Cisco’s Talos threat research unit first wrote about Rocke in August 2018, and detailed the group’s myriad cryptomining malware toolkit.Unit 42 researchers say this is the first time they’ve seen malware that can target and remove cloud security software. The new code can uninstall several different agent-based products by Tencent Cloud and Alibaba Cloud, the top two cloud providers in China. The products include Alibaba Threat Detection Service, Alibaba CloudMonitor, Alibaba Cloud Assistant, Tencent Host Security, and Tencent Cloud Monitor.The malware doesn’t exploit a vulnerability in the cloud security software. Instead, the attacks gain full administrative control over the compromised Linux servers and then use that control to uninstall the software as if they were a legitimate administrator.Unit 42 initially found the malware late last year and has since been working with Tencent Cloud and Alibaba Cloud to fix the problem. “We didn’t detect the malware on any servers,” said Ryan Olson, VP of threat intelligence at Unit 42. But, he added, the Rocke group successfully exploited honeypots in the past — these are security traps used to detect unauthorized use of IT systems. “So we believe they were probably successful [using the new malware] but we haven’t seen evidence of it.” Both Tencent and Alibaba corrected the level of privilege in their cloud products, Olson said. “They were both very responsible. They don’t want people mining cryptocurrency in their user’s hosts, either.”