A blog post by researchers Alfredo Oliveira and David Fiser said the other methods whereby the malware gained access were through the abuse of weak passwords for SSH, Redis, PostgreSQL, SQLServer, MongoDB and FTP clients.
The payload planted by the malware was a cryptominer. The attackers removed applications and services in Huawei Cloud, disabling the hostguard service.
The two researchers said the attackers used an open-source plugin known as cloudResetPwdUpdateAgent that normally allowed users to reset a password for the Elastic Cloud Service running on Huawei Cloud.
"Another interesting capability that we haven’t seen before is that in this campaign, malicious actors have been searching for specific public keys that would allow them to kill off their competition from the infected system and update their own keys," the pair wrote.
"More than any other samples and campaigns we’ve seen so far, this campaign performs a comprehensive sanitisation of the operation system.
"It looks for both signs of previous infections and for security tools that could stop its malicious routines. Not only that, but it also uses simple but effective commands to clean up after it performs its infection routine."
They found that the attackers seemed to be very familiar with the people running the systems they were attacking.
One more interesting feature of the malware was that it installed The Onion Router (Tor) proxy service, which would be used later to anonymise the malware's malicious connections.
"Cloud service misconfigurations can allow cryptocurrency mining and cryptojacking attacks to happen," Oliveira and Fiser said.
"Most of the attacks that we’ve monitored occurred because the services running on the cloud had an API or an SSH with weak credentials or had very permissive configurations, which attackers can abuse to enable them to infiltrate a system without needing to exploit any vulnerabilities.
"Misconfigurations are a common point of entry in such scenarios, and cloud users should give the same thought and attention to misconfigurations as they do to vulnerabilities and malware."