We are echoing a new threat affecting AWS cloud services. It is Cryptoworm , a worm that is capable of installing a back door. The goal is to mine cryptocurrencies by taking advantage of available resources. It must be taken into account that Amazon’s servers are widely used by users and that on many occasions there have been security problems.
Cryptoworm, the new threat affecting AWS
Amazon’s servers have appeared in the press on occasions when users have had a bad configuration and that has exposed the data or when there has been a vulnerability. However this time the problem is another. It is Cryptoworm, a worm that can install a back door.
This worm has been infecting the AWS cloud. They have discovered it from Cado Security . What this malware does is steal AWS user credentials with the help of simple code. As they indicate they believe that it is from TeamTNT. This worm uses those credentials to install a mining tool called XMRig that helps you mine the Monero cryptocurrency.
Therefore we can say that the main function of this threat is to mine cryptocurrencies . Their goal is to attack systems and take advantage of available resources. We already know that cryptocurrency mining can seriously damage devices, as it takes advantage of available hardware and can take you to the extreme in terms of performance.
Other functions besides mining cryptocurrencies
However, although its main mission is to mine Monero cryptocurrencies, it also has other functions. Cryptoworm has a registry cleaner to remove all traces of its malicious activity. It also has a rootkit called Diamorphine.
On the other hand, it has a post-exploitation tool called punk.py that runs in SSH. It also creates a back door called Tsunami.
Beyond this, attackers also receive reports indicating the total number of infected systems and how many coins have been mined, among other details. This worm uses the code of another previous one called Kinsing .
It is important for AWS users to check if any of their credential files have been mistakenly exposed and delete them immediately.
In short, Cryptoworm is a worm that has been able to put the AWS servers of many users at risk. It can damage security and privacy. It is very important that we always keep the equipment updated correctly. There are many vulnerabilities that can arise, but luckily developers often release patches to correct them. Hence the importance of always having the systems with the latest versions available.
From this article we recommend that we periodically check that we have the latest versions installed . This way we can improve not only performance, but also security and avoid potential problems.
We leave you an article where we talk about what we can do with home servers. A series of questions to take into account.
