28% of cloud environments may be compromised by cybercrime group Rocke

Unit 42 stated that the threat-acting group, which is best-known for engaging in cryptomining operations targeting the cloud, is able to conduct operations with little interference and limited detection risk.

The intelligence team reportedly released "high-level results" from its investigation of Rocke after claiming to spend six months researching the cybercrime group [representational image]
The intelligence team reportedly released "high-level results" from its investigation of Rocke after claiming to spend six months researching the cybercrime group [representational image]

According to research by Palo Alto Networks' global intelligence team Unit 42, more than 28% of cloud environments may be compromised by China-based cybercrime group Rocke.

The intelligence team reportedly released "high-level results" from its investigation of Rocke after claiming to spend six months researching the cybercrime group, concluding that the threat-acting group, which is best-known for engaging in cryptomining operations targeting the cloud, is able to conduct operations with little interference and limited detection risk.

By analyzing NetFlow data from December 2018 to June 16, 2019, Unit 42 found that 28.1% of the cloud environments it surveyed had at least one fully established network connection with at least one known Rocke command-and-control (C2) domain. Several of those organizations maintained near daily connections. Meanwhile, 20% of the organizations maintained hourly heartbeats consistent with Rocke tactics, techniques, and procedures (TTPs).

Rocke also released a new tool called Godlua, which could function as an agent, allowing the group’s actors to perform additional scripted operations, including denial of service (DoS) attacks, network proxying, and two shell capabilities. Unit 42 also discovered network traffic identification patterns within NetFlow traffic that provide unique insight into Rocke TTPs and how defenders can develop detection capabilities.

Most Popular

Digital Edition

Subscribe today and get your copy of the magazine for free