5 Cloud Exploitation Incidents Alarming the Cybersecurity World

At SISA, we recognize the ever-evolving nature of cyber threats and the importance of staying ahead to safeguard your organization’s sensitive data and assets. Our dedicated team of cybersecurity experts constantly monitors various platforms, gathers intelligence, and analyzes the latest cyber threats to provide valuable insights into emerging risks that could impact organizations globally.

This monthly post provides a condensed overview of the threats encountered throughout the month, with insights into an emerging trend: cryptojacking and cloud exploitation targeting businesses.

Our team presents five emerging cryptojacking and cloud exploitation threats that you should be aware of, including a campaign targeting Docker APIs to form cryptojacking botnets that form a malicious Docker swarm, the “perfctl” malware leveraging Polkit vulnerabilities to install proxyjacking software, CeranaKeeper’s cloud exfiltration tactics targeting government entities, the Gorilla botnet exploiting Hadoop YARN for remote execution, and Ivanti CSA vulnerabilities being actively exploited in the wild. These campaigns reveal evolving tactics that pose a serious threat to critical infrastructure and business operations worldwide.

Read on to discover more…

1. Docker API Exploited for Cryptojacking Botnets

Cybersecurity researchers uncovered a new cryptojacking campaign that targets the Docker Engine API, leveraging vulnerable instances to create a malicious Docker Swarm controlled by the attackers. By scanning for unauthenticated and exposed Docker API endpoints, the attackers were able to gain access, deploy Alpine containers, and launch the XMRig cryptocurrency miner. This highlights the ongoing threat of unsecured APIs in containerized environments being used for resource hijacking, significantly affecting cloud-based services.

The attackers used sophisticated lateral movement scripts, such as kube.lateral.sh and spread_docker_local.sh, to propagate across Docker instances and Kubernetes environments. By exploiting Docker API endpoints, the malware operated stealthily, making it challenging for defenders to detect and mitigate the attack.

2. “Perfctl” Malware Targets Linux Servers for Cryptomining and Proxying

Researchers identified a stealthy malware campaign targeting Linux servers, using the “perfctl” malware to install cryptocurrency miners and proxyjacking software. The malware leverages the Polkit vulnerability (CVE-2021-4034) for privilege escalation, allowing it to install a miner named “perfcc” and a rootkit to evade detection. After exploiting Apache RocketMQ instances to deliver the malware, it relocates itself to the “/tmp” directory, deleting its original binary to avoid detection.

This campaign highlights the growing trend of attackers targeting cloud infrastructure and Linux environments, focusing on both cryptocurrency mining and proxyjacking as revenue streams. The malware further establishes persistence by leveraging known vulnerabilities, making patch management critical for cloud and server security.

3. CeranaKeeper Exploits Cloud Platforms for Data Theft 

A newly identified advanced threat actor, dubbed CeranaKeeper, has been linked to a series of data exfiltration attacks targeting government institutions across Southeast Asia. The group employed cloud infrastructure in creative ways to mask their operations, using GitHub pull request features for stealthy command-and-control communications. CeranaKeeper leveraged compromised cloud instances as update servers, delivering custom malware and gathering data covertly.

By exploiting the inherent trust in cloud-based platforms, this campaign underscores the risks associated with using public cloud services for sensitive operations without proper controls in place. The attackers showed advanced evasion techniques, making it clear that organizations need to prioritize monitoring and securing their cloud environments.

4. Gorilla Botnet Exploits Hadoop YARN for DDoS Attacks

A newly discovered botnet named Gorilla, based on Mirai’s leaked source code, has launched extensive DDoS attacks across more than 100 countries. The botnet exploits a vulnerability in Apache Hadoop YARN RPC, allowing attackers to gain remote code execution on vulnerable nodes. The botnet targets critical sectors like universities, government agencies, and financial institutions, impacting services across the U.S., Canada, Germany, and China.

The use of Apache Hadoop YARN, commonly employed in big data cloud infrastructures, as a vector for these attacks highlights the critical need for securing cloud-based big data solutions. Organizations that use cloud-hosted Hadoop environments should prioritize patching and securing exposed services to prevent similar exploits.

5. Ivanti CSA Zero-Day Vulnerabilities Actively Exploited

Ivanti issued a warning about three new zero-day vulnerabilities affecting its Cloud Service Appliance (CSA), all of which are actively being exploited in the wild. The vulnerabilities (CVE-2024-9379, CVE-2024-9380, and CVE-2024-9381) allow attackers to bypass restrictions, execute arbitrary SQL commands, and achieve remote code execution through OS command injection. Attacks leveraging these flaws have primarily been observed on customers running older CSA versions, emphasizing the need for timely patching.

This advisory serves as a reminder of the importance of keeping cloud appliances updated, as these vulnerabilities directly threaten the integrity and security of cloud environments. Organizations should be vigilant in applying security patches and monitoring administrative access to ensure that cloud services are protected against exploitation.

Key recommendations to combat cyber risks: 

• Invest in API Security and Traffic Filtering: Secure API endpoints exposed to the internet by implementing strong authentication and access controls. Filter unnecessary traffic using web application firewalls and other security measures.
• Regularly Patch Vulnerabilities: Apply patches to address known vulnerabilities, such as Polkit, Apache Hadoop YARN, and Ivanti CSA. Keeping cloud appliances and containerized environments up to date is essential.
• Implement Network Segmentation: Separate sensitive systems from other network areas to limit opportunities for lateral movement by malware.
• Utilize Runtime Protection Solutions: Deploy runtime security tools to continuously monitor container activity for unusual processes and prevent unauthorized resource consumption for cryptomining.
• Enhance Monitoring and Incident Response: Strengthen cloud logging and monitoring to detect cryptojacking or exploitation attempts. Develop a robust incident response plan to promptly address any anomalies. Implement comprehensive monitoring for cloud environments to detect unusual activity, including signs of cryptojacking or exploitation attempts on cloud-based services.