Marketing

Multi-vector attacks target cloud-hosted technologies

The push to move everything into the cloud over the past several years has generated a large number of misconfigured and exposed deployments of various software stacks. This has attracted sophisticated attacks that destroy data or abuse server resources for cryptocurrency mining.

In a new report released today, security researchers from Securonix warn of an increase in the number of multi-vector and multi-platform automated attacks against cloud infrastructure over the past few months. These often combine cryptomining, ransomware and botnet malware all in one.

“In most cases, the focus of the attacks is on installing a second-stage payload for cryptomining and/or remote access,” the researchers said.  “In other cases, the malware propagates and infects the exposed services, removes data, and installs second-stage cryptomining and ransomware payloads.”

Attackers often break in by exploiting unpatched vulnerabilities or insecure configurations in services like the Redis data structure store, the Apache Hadoop big-data processing toolset or the Apache ActiveMQ messaging middleware. They also launch brute-force password guessing attacks against a large number of services including MySQL, MongoDB, Memcached, CouchDB, PostgreSQL, Oracle Database, ElasticSearch, RDP, VNC, Telnet, RSync, RLogin, FTP, LDAP and more.

One of the most commonly used malware tools observed in attacks against cloud-hosted services is the XBash worm, which first appeared in May 2018. This malware is used to infect both Windows and Linux servers and deploys additional payloads depending on which OS is running.

XBash is typically associated with a cybercriminal group known in the security industry as Iron. However, another group called Rocke is also using an XBash variant and has recently been in the news after it started disabling cloud security and monitoring agents.

In some cases, after they gain access to a database or data store, the malware will delete it and will leave behind a ransom note. This a destructive attack that only mimics ransomware, because no backup of the data is performed and the attackers are not able to help recover it if the ransom is paid.