You may have heard of a recent vulnerability in SaltStacks infrastructure automation software (like Chef, Puppet, Ansible and many other platforms). Not only was it a remote code execution, but it also seems to be wormable which makes things a lot worse.
I do not want to talk about Salt specifically, the learning from that exploit should really be: Take it with a grain of salt, or be realistic about attack vectors. In that special case you should have been sceptic, when you rolled out a component that needs access to elevated privileges to install software, to configure systems and applications and you know that this component is accessible from remote (which perfectly makes sense for the use case).
Maybe you even thought about limiting access to the port(s) that your automation software uses (or any other system that controls your infrastructure), but didn't do it in the end, because it is hard and maybe not even your job.
We should begin to take things like that more serious again, especially in our datacenters where we host our high value applications, sensitive or competitive data. We should go back to the drawing board and assume breach and protect those services by whitelisting it to be only accessible by the master nodes and authorized people. It is about adopting a zero trust approach, do not trust, always verify.
The initial malware payloads act like a sledgehammer. They tears down anything remotely CPU-intensive so they can suck out all your compute resources for that sweet, sweet Monero. This includes, but is not limited to: