🟠 High | Source: The Register — Security
A cloud-targeting worm dubbed CAI has been observed actively evicting competing malware from compromised cloud environments before stealing credentials and deploying cryptomining software. The worm’s ability to identify and remove rival malicious tools suggests a sophisticated, resource-competitive threat actor focused on maximising persistent access. This matters because it indicates an increasingly cutthroat and automated attacker ecosystem targeting cloud infrastructure at scale.
Security Architect’s Take: Audit cloud workloads for unexpected process terminations, unusual IAM credential usage, and cryptomining indicators — the worm’s clean-up behaviour may mask its presence by removing other known malware signatures your tooling would otherwise detect. Ensure runtime threat detection covers behavioural anomalies, not just known malware hashes.
Original advisory: CAI cloud worm gives competitors’ malware the boot, then steals secrets and mines for coin