The nasty cryptoworm also installs backdoor to further pursue with nefarious purposes.
Amazon is more often than not in cybersecurity news with reports of unexposed servers on AWS being breached and whatnot. Today though, the reason is much more serious. It has been found out that a worm has been infecting the AWS cloud while simultaneously scanning the internet to identify vulnerable Docker platforms as well.
Reported by researchers from Cado Security, the malware steals AWS user credentials with the help of a simple code. Believed to be from TeamTNT, the worm then uses those credentials to install a mining tool named XMRig mining tool which helps it mine Monero cryptocurrency.
Yet, this is not all. In addition to this primary activity, it also installs a range of other tools as listed below:
- A log cleaner to remove traces of malicious activity
- A rootkit named Diamorphine
- A post-exploitation tool named punk.py that runs on SSH
- A backdoor named Tsunami
Alongside, the attackers also receive reports indicating the total systems infected & how many coins have been mined among other details.
This has brought in approximately 3 XMR/$300 according to the researchers till now but more instances are yet to been seen in order to get a true picture of the money stolen.
To conclude, as with such malware, the code for the worm was stolen from an already existing worm named Kinsing whose intended use is against Alibaba Cloud’s security tools.
This allows cybersecurity professionals to implement defense mechanisms that can filter the vast majority of worms out there since they would be re-using the same old techniques.
For the time being, all AWS users should check if any of their credentials files have been mistakenly left out in the open and immediately delete them.
For day-to-day security, monitoring your network traffic may be a wise choice as it will help you see all the connections originating from your servers and also if it involves any suspicious entities such as “mining pools”. As a parting note, for the Docker attacks, the researchers state in their blog post that:
Use firewall rules to limit any access to Docker APIs. We strongly recommend using a whitelisted approach for your firewall ruleset.