Mar 24, 2022
As more organizations move their assets to the cloud, malware distributors are turning their attention to the cloud as well. The Orca Security Research Pod collects data on common malware threats in the cloud, and discusses how you can detect, mitigate, and avoid them.
In this blog, we will discuss the main malware types you may encounter in your cloud with examples and ways to detect and protect your cloud from them.
But first, how does malware find its way into cloud assets?
In the on-prem world, the main infection vectors are based on user related actions. For example, malicious attachments to emails, malicious links in emails, or downloads from semi-legit sites.
In the cloud world it is a little bit different, attackers look for a different kind of unsafe “user” behavior – unmaintained assets and dangerously configured accounts. The users here are the cloud owners.
The most common attack vectors in cloud rely on finding assets with easy authentication (weak or leaked passwords), exploitable vulnerabilities and risky exposure to the internet.
As published by CISA, the most used infection vectors in 2021 were stolen RDP credentials, brute force attacks, and vulnerability exploitation. The initial attack vector doesn’t have to be an internet-facing asset. Attackers may get an initial foothold and move laterally in the cloud account and deploy malware in a deeper strategic location.
The flexibility, agility, and scalability that Unix-like machines offer made them cloud native. Many PaaS solutions offered by cloud providers are running on Linux distributions by default. From our data, almost 98% of the cloud assets that Orca scans are running on Unix-like operating systems.
As you might assume, this makes any kind of Linux malware relevant to most of the cloud assets. Yet, some threats specifically seek vulnerable or available Linux machines in the cloud.
The Expansion of Malware to Linux Systems: Many organizations choose a hybrid model of using cloud. It means that an organization might have only part of its network in the cloud; the rest would be on-prem. Attackers didn’t leave the possibility to maximize their impact on such networks. That’s how many malware families have developed additional Linux capabilities to make them capable of moving laterally in hybrid cloud environments.
Now let’s see what are the most common malware types you may come across in your cloud.
Linux-based Vermilion Strike: Cobalt strike is a commercial tool used both by pen-testers and attackers. The tool is known for its varied abilities like port scanning, privilege escalation, remote access and more. Many of the most prominent malware families in 2021 use this tool’s payload called “Beacon” as a second-stage infection tool, to collect more data from the infected machine in multiple ways, exfiltrate data and even deploy ransomware. However, the problem with Cobalt Strike is that it is Windows-only software. That is where its Linux sibling comes in: Vermilion Strike. Vermilion Strike is a re-implementation of Cobalt Strike’s Beacon tool for Linux machines. This expands the capabilities of attackers to act remotely in a versatile way in a hybrid environment.
TrickBot: Although relatively silent during the past couple of months, this modular trojan is known for its major prevalence. Its main infection vector is via malicious email attachments and lateral movement in networks. Last year, TrickBot introduced a new module that can infect not only Windows machines, but also Linux machines, allowing it a better lateral movement in an hybrid environment.
Remote Access Tools have been attackers’ favorite to get more information from an infected machine. Many famous RATs like Netwire are cross-platform, but there are also designated RATs for Linux machines, for example, CronRAT, which hides in a Linux Cron job. In addition, attackers may use known open-source tools such as Pupy and n00bRAT, which are also compatible with Unix-like systems.
Mirai: One cannot mention Unix-like threats without mentioning Mirai. This botnet is the ancestor of many threats aimed at vulnerable Linux services. Since the source code of Mirai was published, many attackers have created mutations of this malware, affecting millions of assets. All Mirai-like malware start their attacks by scanning for vulnerable internet-facing machines. A vulnerable device could have exploitable weaknesses in protocols, OS, or services or just an asset with a weak/ leaked password. Most DDoS Linux malware code are mutations of Mirai, for example, SORA.
Backdoors: Attackers won’t neglect the option to deploy a backdoor on Linux systems as well. For example, the RedXOR malware disclosed last year by Intezer hid itself in a fake Linux Polkit daemon.
Ransomware in the cloud is already a daily occurrence. As published by US-Cert, a significant increase of ransomware attacks was observed in 2021 – many of these attacks targeted cloud assets.
As mentioned in the beginning of this blog, malware attacks in general don’t have to start on the internet exposed asset. In ransomware it is even more relevant as the attacker would first want to identify the crown jewels to create the most significant impact.
In the past few years a lot of big ransomware infections in cloud infrastructure became known. The biggest and most recent example would be the Colonial Pipelines articles where the fuel supply in the US was disrupted. Company data was encrypted by the ransomware “DarkSide” which is one of the strongest RaaS (ransomware as a service) available. This RaaS works using a “double extortion” method, it means that the ransom is not only paid for releasing the encrypted files in the account, but also as a ransom to the attackers to not publish exfiltrated data from the account, stolen by the attackers prior to the encryption. This ransomware gets into accounts by RDP brute-force attacks and exploiting known vulnerabilities.
Another known ransomware group, believed to be connected to DarkSide, is REvil. Until the arrest of the group’s members this past January, it was the most prolific ransomware group. This group was involved in many known attacks, such as on Apple’s supply chain, and even the extortion of American celebs like Madonna and Lady Gaga.
The relatively new dominant player in the ransomware field is LockBit, getting more and more attention after the take down of the REvil group and the code leak of Conti. This RaaS is said to have the fastest encryption in the market. Its initial access vector is through brute force attacks and socially engineered phishing messages. Last October, the operators released a new version designed to infect Linux and VMware ESXI hypervisors, capable of targeting many Linux cloud assets. The biggest victim of this ransomware so far is Accenture. In August 2021, an attacker reportedly requested 50 million USD for 6TB of data.
One of the most fundamental features of cloud is the ability to use computing resources (CPU and GPU) on demand. Of course, malicious actors found a way to abuse this. Cryptominers have become the most popular malware deployed in cloud assets. According to Google, 86% of infected assets that were analyzed by them were infected with a cryptominer.
The most common cryptocurrency to be mined in the cloud is Monero (XMR). According to VMware, 89% of the cryptocurrency attacks are related to XMRig and XMRig open source libraries. Monero is chosen for both stable currency value, easy miner deployment, very hard reverse tracing and compared to Bitcoin, this cryptocurrency doesn’t need special hardware to be mined.
Crypto miners are abusing the CPU cycles of CPU-demanding cloud components like containers and orchestrators but also regular VMs. They can be deployed manually by an attacker, who managed to get access to a relevant machine, or by a special malware.
Container malware that aims to install crypto miners are published more and more these days. For example, Kinsing is a malware with rootkit abilities that has been active for more than 2 years. The malware starts its attack by scanning for open Docker containers, Kubernetes orchestrators, and other containers. Afterwards it continues with a brute force attack. The malware is being updated regularly to get more persistence and hiding capabilities.
To find traces of this malware, you may search for changes in files named “xmrig” or “kinsing”, communication to URLs containing the name “kinsing” as well as access to system directories related to CPU.
Another example for such malware is Siloscape which targets Kubernetes clusters by exploiting vulnerable public Windows containers. The malware creates a backdoor for cryptomining, but is also capable of doing much broader actions like info-stealing.
There are many ways to implement malicious code on a database. All an attacker needs is an RDS with a security flaw such as a vulnerability or misconfiguration and an attack can be carried out immediately. Attackers scan the internet constantly for databases. When one is found, it can be a matter of hours until an attack can happen.
There are many publications around database attacks and breaches. Recently researchers found that attacks are using Cobalt Strikes’ beacon to get control over MS-SQL servers. This can allow attackers to execute all the attacks we mentioned before such as crypto mining, ransomware deployment and even data exfiltration.
APT actors didn’t miss the chance to participate in the cloud party. The strongest example we have is Team TNT, which is the first cloud-native APT group. This group speaks “Cloudish”. They are known for exploiting cloud assets and moving laterally in accounts. They do it for AWS credential collection, data exfiltration, and smart crypto miners’ deployment.
They search for the path “/.aws/credentials” and also for the metadata (169.254.169.254) of each machine they get to. If the credentials are there, then they can be stolen and used for lateral movement. You’ll find them in your cloud with crypto miners and outgoing web requests to the domain teamtnt[.]red.
Cloud assets and even entire accounts can be exposed to a malware infection. The weak spots that attackers look for in the cloud world are weak passwords or authentication and exploitable vulnerabilities in cloud assets. These could result in crypto mining that will take advantage of your CPU cycles, lead to data breaches, or even enable ransomware attacks.
To avoid malware in your cloud environment, one must follow three basic principles. The first is internet exposure, malware in the cloud is mostly coming from external attackers. Internet exposed assets are the entry point. Make sure you expose only assets that must be exposed and keep your secrets secured and away from public access. The next step is to make sure your cloud assets are properly secured and patched. Internet-facing assets are being scanned by malicious actors all the time and weak passwords or vulnerabilities will make their way in much easier. Last but not least – adhere to the principle of least privilege, making sure that every role and asset are privileged to do only what they should, which will make lateral movement harder.
The Orca Security Platform provides many capabilities to detect and identify misconfigurations, vulnerabilities, and risks in your cloud environments:
The Orca Security Research Pod will continue to provide our audience with updates as future details emerge. If you’d like to get in contact about specific security questions or learn more about the Orca Security Platform please contact us.
To better understand the current risk posture of your cloud environments, sign up for a 30-day free risk assessment.