Malware samples associated with Chinese threat actor Rocke Group are now capable of uninstalling cloud security products, according to an analysis by researchers at Palo Alto Networks Unit 42, in a report published Thursday.

The newly-discovered malware samples are not exploiting a specific vulnerability of cloud security products; rather, the malware is engineered to gain administrator access on a given cloud instance and uninstall the software as any administrator would be capable of doing.

SEE: Research: As overseas business operations grow so do concerns over cyberwarfare and cybersecurity (Tech Pro Research)

Rocke Group’s modus operandi is exploiting vulnerabilities in web services including Apache Struts 2, Oracle WebLogic, and Adobe ColdFusion, providing a backdoor for the attacker to gain shell access, through which Monero cryptocurrency mining software is installed on the target system. Malware samples originating from the group have historically included commands to stop and remove other cryptocurrency mining software.

The newly-discovered samples include additional instructions to block popular security products used on Alibaba and Tencent cloud platforms, including Alibaba Threat Detection Service, Alibaba CloudMonitor, Alibaba Cloud Assistant, Tencent Host Security, and Tencent Cloud Monitor. Fundamentally, these are agent-based security products that require installation on cloud-hosted instances, putting them within the reach of this malware.

As Rocke Group is assumed to be based in China, this behavior has only been demonstrated with security products used for Chinese cloud services. Researchers at Unit 42 express concern that malware authors will broadly adopt the behavior of uninstalling cloud security solutions to evade detection. These concerns are warranted to an extent, as this behavior has long existed with malware uninstalling desktop security solutions. Some considerations for maintaining security integrity in light of this attack strategy do exist.

Spontaneous absence of a program expected to exist on a given instance should be considered a sign that something has gone terribly wrong. Enterprise security products typically only react when an anomaly is detected, though the use of some sort of periodic beacon to indicate definition updates, etc., would at a minimum proactively provide assurance to IT stakeholders that security software is operating normally. This need not necessarily be a feature of the security agent software–it could be performed using cron to check if a process exists.

Malware capable of gaining root access would as easily be able to forge such beacons as uninstalling security software, limiting the efficacy of this idea. Globally, the number of security vendors and products available makes it impractical for malware payloads perfectly uninstall and clone beacons for every possible configuration. Attributes of the Chinese cloud market may make this an easier attack locally than in markets with more diverse choices.

Ultimately, relying on a cloud instance to self-report health may be imperfect, as any malware capable of gaining root access would theoretically be able to uninstall security products or forge security beacons as described above. In terms of protection rings, monitoring cloud instance activity from Ring -1 would be secure against such attacks. At this level, breaking security monitoring would require the use of exponentially more challenging virtual machine escape vulnerabilities.

The big takeaways for tech leaders:

  • Newly-discovered malware samples use root access to uninstall cloud security software, mirroring capabilities seen for years in desktop malware.
  • Relying on a cloud instance to self-report health may be imperfect, as any malware capable of gaining root access could uninstall security products or forge security beacons.