Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cloud
    • Cloud
    • Cybersecurity

    Attackers Take New Approach to Installing Cryptominers

    By
    Sean Michael Kerner
    -
    January 17, 2019
    Share
    Facebook
    Twitter
    Linkedin
      1088_UnauthorizedCryptocurrency

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Security technology on cloud servers is supposed to help block and prevent the installation of malware, but what happens when attackers figure out how to uninstall security technology as part of a hacking campaign? 

      According to a report released on Jan. 17 by Palo Alto Networks’ Unit 42 security research division, that’s exactly what the Rocke hacker group is doing in China. Palo Alto reported that Rocke is actively exploiting servers and gaining administrative access. With the full admin access, the hackers are then uninstalling security software and, in its place, installing unauthorized cryptocurrency mining software.

      Palo Alto reported that Rocke has been able to uninstall five different cloud security protection and monitoring products from cloud servers running Linux. The impacted cloud security products include Cloud Workload Protection Platform (CWPP) offerings from Tencent Cloud and Alibaba Cloud.

      The Rocke group is exploiting existing, known vulnerabilities in multiple applications to gain access to the servers. Among the application vulnerabilities that Rocke has attacked are Apache Struts 2, Oracle WebLogic and Adobe ColdFusion, all of which have known flaws. Struts in particular has been an actively targeted application, and an unpatched Struts server was the core of the massive Equifax data breach that was reported in 2017. 

      “In these attacks, the attackers were able to gain root-level control of the system, so no operating system/kernel vulnerabilities were needed to pull off these attacks,” Ryan Olson, vice president of threat intelligence for Unit 42 at Palo Alto Networks, told eWEEK.

      Cryptojacking

      The fact that the Rocke attackers decided to install cryptocurrency mining software on the servers they took over is relatively arbitrary. Olson noted that with administrative access, the attackers could well take other actions by abusing that privilege.

      Cryptocurrency mining makes use of the server resources in order to generate, or “mine,” currency that the attackers can then use for any purpose they choose. The challenge of unauthorized cryptocurrency mining is sometimes referred to as “cryptojacking” and was a major trend among attackers in both 2017 and 2018. Palo Alto’s Unit 42 has uncovered other cryptojacking campaigns in the past, including one in October 2018 that used a Flash updater as the mechanism to deploy the malware.

      Root Cause

      The uninstallation of the Alibaba and Tencent cloud CWPP software is not seen by Olson as being a vulnerability or flaw in the vendors’ platforms.

      “The malware abused the legitimate admin privileges to uninstall the applications,” Olson said. “From the applications’ point of view, nothing bad happened—the key thing is that the admin privileges were abused.”

      It’s not entirely clear at this point how many servers the Rocke group has been able to attack with its uninstalling campaign as Olson said that Palo Alto doesn’t currently have that data. Palo Alto has reported the issue to Tencent Cloud and Alibaba Cloud so they can take steps to block the domains that are launching the attacks.

      Defending Against Rocke

      Olson has some simple advice to help organizations that are concerned about the risk of Rocke and its uninstaller campaign.

       He said that the two things organizations can do are:

      1. Ensure that operating systems and applications are fully patched  
      2. Ensure that applications are running in accordance with the principle of least privilege as much as possible.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×