Everyone and their dog knows that Unix systems come with a “least-privilege” default, which for some reason was flipped on its head when Alibaba created a service model.
Trend Micro reports:
…the default Alibaba ECS instance provides root access…all users have the option to give a password straight to the root user inside the virtual machine (VM)… In this situation, the threat actor has the highest possible privilege upon compromise, including vulnerability exploitation, any misconfiguration issue, weak credentials or data leakage. Thus, advanced payloads such as kernel module rootkits and achieving persistence via running system services can be deployed.
Ouch. It’s a burning question who setup Alibaba’s security to be the exact opposite of basic practices.
The rest of the Trend Micro report describes how security detection software easily was disabled since the attacker had total system control.