Alibaba OSS buckets compromised to spray malware

Cybersecurity experts have identified a malicious campaign using the object storage service (OSS) of Alibaba Cloud for malware distribution and illicit cryptocurrency-mining activities.

OSS is a service that allows Alibaba Cloud customers to store data like web application images and backup information in the cloud.

Unfortunately, this is not the first time that we’ve seen malicious actors targeting Alibaba Cloud.

To secure an OSS bucket, a user has to set up a proper access policy. If this is done incorrectly, a malicious user can upload or download a user’s files to or from the bucket itself.

Hackers can also get hold of a user’s OSS bucket by obtaining their AccessKey ID and AccessKey secret or an auth-token. Any of these can be stolen from previously compromised services, particularly those that have secrets accessible as configurations inside plain-text files or environmental variables. Malicious actors can also obtain access to an OSS bucket by using credential stealers. TeamTNT’s extended credential harvester is a notorious example of a stealer that targeted multiple cloud environments.

When experts investigated the technical details of this campaign, they saw that one of the shell scripts contained a reference to OSS KeySecret and GitHub. Initially, they assumed that malicious actors simply search for credentials that have been inadvertently pushed into the GitHub public repository.

In the same time, credit card details from customers of over 300 restaurants in the United States were stolen in two web-skimming campaigns targeting three online ordering platforms.