. home.aspx



Cloud security products uninstalled by mutating malware

January 18, 2019 / Connor Jones

Unit 42, the global cyber threat intelligence arm of Palo Alto Networks, has discovered new forms of a Linux coin mining malware originally used by the Rocke group which attacks Linux servers, aka a large portion of all servers in the world.The malware which is believed to be related to the Xbash malware detected in September 2018, will infect a server and then mutate, downloading new code which allows it to assume administrative control and delete cloud services installed on them.The security products weren't compromised specifically, instead, the threat actor was able to simply remove them from the server altogether in the same way a legitimate system administrator would be able to.The samples analysed by Unit 42 targeted cloud services provided by two of China's leading cloud providers: Tencent Cloud and Alibaba Cloud (Aliyun). It's also believed by the threat intelligence team that the analysed samples are the first form of malware that can target and delete cloud servi...