An advanced version of crypto-mining malware has recently been discovered that could pose a serious threat to Huawei Cloud and its users. This malware had previously been reported to attack the open source software development platform Docker Containers.
According to the report, this new version of malware has enough algorithms to bypass the function of creating firewall rules. On top of that, it leaves a network scanner behind to track ports relevant to the API of other hosts.
However, this new crypto-mining malware is currently active in cloud environments. In addition, it searches for the other ecosystem that has already been affected by this attack.
Before discussing its other details, let’s first know what crypto-mining is-
What is Crypto-mining:
Crypto-mining or cryptojacking is defined as an online thread or malware that has the ability to hinder and even crash an organization’s digital environment. Additionally, it worked while remaining completely hidden from a user.
In Cryptojacking, the attacker can use the victim’s devices without worry to secretly mine the cryptocurrency. Likewise, it also leads to financial losses for the victim and disruption to the functioning of the business. In addition, it mainly targets cryptocurrencies or digital currency.
On a Linux system, this digital currency miner malware must follow a procedure shown in the figure. This not only harms the system, but simultaneously removes traces of it.
Then, it replaces all the users added by the other actors with the one created by them. This is one of the basic steps taken by cryptojackers targeting the cloud. Unlike other attackers, cryptojackers use Sudo programs in their accounts which provide root access to the system.
Additionally, the attacker uses his own sh-RSA key to make system adjustments and change file permissions to a locked state. This prevents other users from having full control of the vulnerable computer or device even if they gain access to it.
In addition, the actors install the Tor proxy service which helps them to prevent the establishment of a connection to another network scan detection. For packaging there are binary codes (linux64_shell, ff.sh, fczyo, xlinux) at UPX packer. Once the attack took full control of the device, it started to perform its malicious activities.
However, some known vulnerabilities were detected during the analysis of this attack. Most of them are related to weak password in some functions which include
Some known vulnerabilities:
- Weak SSH passwords
- Vulnerability in the Oracle WebLogic Server product of Oracle Fusion
- Middleware (CVE-2020-14882)
- Redis unauthorized access or weak passwords
- Unauthorized PostgreSQL access or weak password
- SQLServer weak password
- Unauthorized access to MongoDB or weak password
- Weak File Transfer Protocol (FTP) password
As you can see, what users can do on Huawei Cloud if this coin mining malware was actually surfed. To be mentioned, all of the information described comes from leading data and cybersecurity solutions provider TrendMicro.
According to the firm, it sent the acknowledgment report to Huawei Cloud to notify authorities of the crypto-mining malware. Now we are waiting for Huawei to officially fix this problem.