As per reports by the Palo Alto Networks security firm, a new cryptojacking malware has been introduced that is capable of eluding cloud-based security precautions on Linux servers. On 17th January, this alarming piece of information was revealed, increasing the possibility of hackers getting their hands on crypto holdings of the users.
The malware that has been referred to in the report is meant for mining the Monero cryptocurrency (XMR). It is an improved edition of a malware earlier used by a group called “Rocke”. That particular malware had been identified by Talos, a cybersecurity company in August of 2018.
What this dangerous malware does is it checks whether there is any other crypto mining process that is currently going on in a given system. It then introduces a firewall to make sure a different cryptojacking malware is not able to break in and act before it does.
The virus then looks around for cloud security solutions that may be activated in the given system. Usually, these cloud systems are developed by Chinese majors such as Alibaba or Tencent. Hence, these malwares are adept at identifying solutions from these brands.
Once the identification is complete, the cloud-based security solution is usually neutralised.
Palo Alto Networks’ vice president for threat and intelligence, namely, Ryan Olson commented:
“This evolution indicates that attackers who are compromising hosts operating in cloud platforms are now attempting to evade security products that are specific to those platforms.”
The virus apparently breaches pre-existing weaknesses in some of the earlier versions of Adobe ColdFusion, Oracle WebLogic and Struts 2 to break in. This means that using frequently updated softwares may be a plausible line of defence against this cryptojacking malware.
As the report explained:
“During our analysis, we realized that these samples used by the Rocke group adopted new code to uninstall five different cloud security protection and monitoring products from compromised Linux servers. In our analysis, these attacks did not compromise these security products: rather, the attacks first gained full administrative control over the hosts and then abused that full administrative control to uninstall these products in the same way a legitimate administrator would.”
You May Also Read: Can Cryptocurrency Scams Be Stopped?