Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Alibaba ECS Instances Actively Hijacked by Cryptomining Malware

Alibaba ECS Instances Actively Hijacked by Cryptomining Malware

​Threat actors are hijacking Alibaba Elastic Computing Service (ECS) instances to install cryptominer malware and harness the available server resources for their own profit.

Alibaba is a Chinese technology giant with a global market presence, with its cloud services being used primarily in southeast Asia.

In particular, the ECS service is marketed as offering fast memory, Intel CPUs, and promising low-latency operations. Even better, to protect against malware such as cryptominers, ECS comes with a pre-installed security agent.

Also Read: Data Minimization; Why Bigger is Not Always Better

Hackers remove ECS security agent to install miners

According to a report by Trend Micro, one of the issues with Alibaba ECS is the lack of different privilege levels configured on an instance, with all instances offering root access by default.

This makes it possible for threats actors who gain access to login credentials to access the target server via SSH as root without any preparatory (escalation of privilege) work.

“The threat actor has the highest possible privilege upon compromise, including vulnerability exploitation, any misconfiguration issue, weak credentials or data leakage,” explains Trend Micro’s report.

Furthermore, these elevated privileges allow the threat actors to create firewall rules that drop incoming packets from IP ranges belonging to internal Alibaba servers to prevent the installed security agent from detecting suspicious behavior.

The threat actors can then run scripts that stop the security agent on the compromised device.

Disabling the security agent on ECS
Disabling the security agent on ECS
Source: Trend Micro

Given how easy it is to plant kernel module rootkits and cryptojacking malware due to the elevated privileges, it is no surprise that multiple threat actors compete to take over Alibaba Cloud ECS instances.

Trend Micro has also observed scripts looking for processes running on specific ports commonly used by malware and backdoors and terminating the associated processes to remove competing malware.

Also Read: Vulnerability Management For Cybersecurity Dummies

Cryptojacking malware tuning an ECS instance and terminating processes
Cryptojacking malware tuning an ECS instance and terminating processes
Source: Trend Micro

Another ECS feature exploited by the actors is an auto-scaling system that enables the service to automatically adjust computing resources based on the volume of user requests.

This is to help prevent service interruptions and hiccups from sudden traffic burdens, but it’s an opportunity for cryptojackers.

By abusing this when it’s active on the targeted account, the actors can scale up their Monero mining power and incur additional costs to the instance owner.

Considering that the billing cycles are monthly in the best-case scenario, it would take the victim some time to realize the problem and take action.

When auto-scaling isn’t available, mining will cause a more immediate and noticeable slow-down effect as the miners utilize the available CPU power.

All cloud services should be vetted

Alibaba ECS is yet another case of a cloud service targeted by cryptominers, with other notable recent campaigns targeting Docker and Huawei Cloud.

Trend Micro has notified Alibaba of its findings but hasn’t received a response yet.

If you are using Alibaba’s cloud service, ensure that your security settings are correct and follow best practices.

Moreover, avoid running apps under root privilege, use cryptographic keys for access, and follow the principle of least privilege.

In the case of ECS, its built-in malware protection isn’t enough, so adding a second layer of detection for malware and vulnerabilities on the cloud environment should be part of your standard security practice.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us