Attackers Take New Approach to Installing Cryptominers

An attacker group known as Rocke is taking a new approach to installing unauthorized cryptocurrency mining software on cloud servers: They're taking control of systems and uninstalling existing cloud security software.


Security technology on cloud servers is supposed to help block and prevent the installation of malware, but what happens when attackers figure out how to uninstall security technology as part of a hacking campaign? 

According to a report released on Jan. 17 by Palo Alto Networks' Unit 42 security research division, that's exactly what the Rocke hacker group is doing in China. Palo Alto reported that Rocke is actively exploiting servers and gaining administrative access. With the full admin access, the hackers are then uninstalling security software and, in its place, installing unauthorized cryptocurrency mining software.

Palo Alto reported that Rocke has been able to uninstall five different cloud security protection and monitoring products from cloud servers running Linux. The impacted cloud security products include Cloud Workload Protection Platform (CWPP) offerings from Tencent Cloud and Alibaba Cloud.

The Rocke group is exploiting existing, known vulnerabilities in multiple applications to gain access to the servers. Among the application vulnerabilities that Rocke has attacked are Apache Struts 2, Oracle WebLogic and Adobe ColdFusion, all of which have known flaws. Struts in particular has been an actively targeted application, and an unpatched Struts server was the core of the massive Equifax data breach that was reported in 2017. 

"In these attacks, the attackers were able to gain root-level control of the system, so no operating system/kernel vulnerabilities were needed to pull off these attacks," Ryan Olson, vice president of threat intelligence for Unit 42 at Palo Alto Networks, told eWEEK.


The fact that the Rocke attackers decided to install cryptocurrency mining software on the servers they took over is relatively arbitrary. Olson noted that with administrative access, the attackers could well take other actions by abusing that privilege.

Cryptocurrency mining makes use of the server resources in order to generate, or "mine," currency that the attackers can then use for any purpose they choose. The challenge of unauthorized cryptocurrency mining is sometimes referred to as "cryptojacking" and was a major trend among attackers in both 2017 and 2018. Palo Alto's Unit 42 has uncovered other cryptojacking campaigns in the past, including one in October 2018 that used a Flash updater as the mechanism to deploy the malware.

Root Cause

The uninstallation of the Alibaba and Tencent cloud CWPP software is not seen by Olson as being a vulnerability or flaw in the vendors' platforms.

"The malware abused the legitimate admin privileges to uninstall the applications," Olson said. "From the applications’ point of view, nothing bad happened—the key thing is that the admin privileges were abused."

It's not entirely clear at this point how many servers the Rocke group has been able to attack with its uninstalling campaign as Olson said that Palo Alto doesn't currently have that data. Palo Alto has reported the issue to Tencent Cloud and Alibaba Cloud so they can take steps to block the domains that are launching the attacks.

Defending Against Rocke

Olson has some simple advice to help organizations that are concerned about the risk of Rocke and its uninstaller campaign.

 He said that the two things organizations can do are:

  1. Ensure that operating systems and applications are fully patched  
  2. Ensure that applications are running in accordance with the principle of least privilege as much as possible.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.