Cryptoworm infecting AWS Cloud to mine cryptocurrency

The nasty cryptoworm also installs backdoor to further pursue with nefarious purposes.

The nasty cryptoworm also installs backdoor to further pursue with nefarious purposes.

 

Amazon is more often than not in cybersecurity news with reports of unexposed servers on AWS being breached and whatnot. Today though, the reason is much more serious. It has been found out that a worm has been infecting the AWS cloud while simultaneously scanning the internet to identify vulnerable Docker platforms as well.

See: 47% of online MongoDB databases hacked demanding ransom

Reported by researchers from Cado Security, the malware steals AWS user credentials with the help of a simple code. Believed to be from TeamTNT, the worm then uses those credentials to install a mining tool named XMRig mining tool which helps it mine Monero cryptocurrency.

Cryptoworm infecting AWS Cloud to mine cryptocurrency
Homepage of the attackers

Yet, this is not all. In addition to this primary activity, it also installs a range of other tools as listed below:

  • A log cleaner to remove traces of malicious activity
  • A rootkit named Diamorphine
  • A post-exploitation tool named punk.py that runs on SSH
  • A backdoor named Tsunami

 

Alongside, the attackers also receive reports indicating the total systems infected & how many coins have been mined among other details.

Cryptoworm infecting AWS Cloud to mine cryptocurrency

This has brought in approximately 3 XMR/$300 according to the researchers till now but more instances are yet to been seen in order to get a true picture of the money stolen.

To conclude, as with such malware, the code for the worm was stolen from an already existing worm named Kinsing whose intended use is against Alibaba Cloud’s security tools.

Cryptoworm infecting AWS Cloud to mine cryptocurrency

This allows cybersecurity professionals to implement defense mechanisms that can filter the vast majority of worms out there since they would be re-using the same old techniques.

 

For the time being, all AWS users should check if any of their credentials files have been mistakenly left out in the open and immediately delete them.

See: Hackers Compromise Tesla Cloud Server to Mine Cryptocurrency

For day-to-day security, monitoring your network traffic may be a wise choice as it will help you see all the connections originating from your servers and also if it involves any suspicious entities such as “mining pools”. As a parting note, for the Docker attacks, the researchers state in their blog post that:

Use firewall rules to limit any access to Docker APIs. We strongly recommend using a whitelisted approach for your firewall ruleset.

 

Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.

Total
0
Shares
Related Posts