The good news: your organisation has finally gotten around to installing some top of the range cloud security tools. The bad news: malware has been developed which can evade detection from them.
The nefarious discovery from threat actor Rocke was made by Palo Alto Networks Unit 42, with the security researchers noting that it was ‘to the best of [their] knowledge the first malware family that developed the unique capability to target and remove cloud security products.’
The Rocke group was first spotted in August by Cisco’s threat intelligent group, Talos, noting at the time it was an actor which ‘must be followed as they continue to add new features to their malware and are actively exploring new attack vectors.’
The malware mines Monero cryptocurrency in compromised Linux machines – cryptojacking being cited by this publication in July as ‘on the way to replacing ransomware as the biggest threat for consumers and enterprises.’ Vulnerabilities are exploited in Apache Struts 2, Oracle WebLogic, and Adobe ColdFusion.
Once that is achieved, and the link established, the malware exhibits various behaviours such as persistence, killing and blocking other crypto mining software and, crucially, uninstalling agent-based cloud security products.
The cloud security products tested were both China-based, in the shape of Alibaba Threat Detection Service and Tencent Cloud Host Security – with the researchers fearing a wider spread of this variant if steps aren’t taken now.
“Public cloud infrastructure is one of the main targets for this cybercrime group,” Unit 42 added. “Realising the existing cloud monitor and security products may detect the possible malware intrusion, malware authors continue to create new evasion technologies to avoid being detected by cloud security products.
“The variant of the malware used by the Rocke group is an example that demonstrates the agent-based cloud security solution may not be enough to prevent evasive malware targeted at public cloud infrastructure.”