Now that industry giants are beginning to migrate their data centers to the cloud, it is unlikely to be long before a stampede of businesses follow suit, anxious not to be the ones left behind running unsustainable local infrastructure.
But it’s not just legitimate interests that are switching focus to remote storage, shared resources and IaaS. Cybercriminals looking to steal data, infect businesses with malware or simply shut services down are preparing for a new challenge within the cloud. In fact, they are already sitting there waiting to launch their attacks on unsuspecting businesses and their consumers.
It’s not as if we haven’t been forewarned. The first inklings of malicious activity in the cloud came back in 2012 when McAfee and Guardian Analytics released a report detailing how financial fraudsters had moved on from using victims’ own PCs to process fraudulent bank transfers to harnessing the superior processing power of remote servers. In the same way that legitimate cloud computing manages updates from powerful remote servers, reducing the load on local machines, these attacks were purpose-built to perform complex, automated tasks on the server side with only basic processing required by malware on the victim’s machine. The comparative lack of client side activity also enabled the attacks to survive longer before detection. Combining these factors (automation, processing and longevity) gives fraudsters a scalable and flexible operation.
Then there were the 2014 attacks which saw Amazon servers exploited for BitCoin mining, RackSpace put out of action for 11 hours and the Lizard Squad disrupt Sony and Xbox users on Christmas Day.
A more recent NSF-supported study into cloud-hosted malware, run by three top US universities, detected malware in 10 per cent of the cloud service providers they investigated. They found that cybercriminals are now not just hosting malware on compromised servers but have worked out how to distribute components across the cloud, hiding them alongside legitimate content in software repos to avoid detection. Only when the separate components are combined is the full-scale attack realized. Types of attacks ranged from fake anti-virus and software update prompts to phishing attacks and drive-by downloads.
Since restricted Service Level Agreements and limited resources prevent most cloud service providers from doing the deep scans necessary to root out such threats, they are never discovered.
Cybercriminals favoring volumetric attacks are also likely to see the cloud infrastructure as a rich hunting ground. With users concentrated across a relatively small number of data centers, together with the cloud’s inherent state-based nature, techniques similar to SYN floods and other DDoS attacks could wreak havoc with multiple businesses simultaneously. In addition, botnets are readily available for hire on the cloud, enabling hackers to make efficiency savings in another way.
Then there is the rapidly developing mobile society and the impending Internet of Things. Mobile devices are cited by some experts as the next attack vector of choice (with the Google Play store even hosting an app which can be used for making DDoS attacks) while the lack of a standard infrastructure may make the IoT a potential Achilles’ heel for businesses. However, the truth is that wherever any technology connects to the cloud, there is the potential for some sort of malicious activity.
Just as there is no single type of cyber-attack there is unlikely to be any ‘one-size-fits-all’ solution.
Negotiating the turbulent airs of the cloud will require a multi-agency approach with specialists from all fields working together to strengthen security measures.
With a majority of cloud cyber-attacks taking advantage of traditional exploits and poor configuration, the same standard advice applies: keep updated with the latest patches and be extra careful with your configurations.
As cybercriminals become more sophisticated though, the methods of detecting and thwarting attacks will need to evolve accordingly. The university study mentioned before used their findings to develop software that could recognize the footprint of a malicious system. For example, they found that suspect code was protected by ‘gatekeepers’ and a variety of redirection schemes designed to throw off scanners. These could themselves be used as a means of detecting possible threats. The researchers are now looking into the possibility of creating open source code to draw upon the wider programming community to help accelerate progress. There is also likely to be a significant role for hackers themselves, working with security experts in identifying loopholes and creating patches.
As companies become wise to the damage that DDoS attacks can do to their businesses, the market for protection from such attacks is likely to grow. Already, vendors are specializing in cloud-based DDoS protection methods, able to exceed attackers’ resources and making use of bandwidth-mitigating technologies such as micro blocks, RST cookies and stack tweaking.
It is not just cloud service providers and their clients that need to prepare for increasingly smart attacks. Developers too need to be aware that software repositories are an attractive destination for dumping corrupt code. In just one example of many, one identified ‘middle man’ exploit in Maven, the repo for Java, slipped beneath the radar by using an unsecured link which was virtually identical to a genuine link to the repository. With industry insiders expressing their frustration over colleagues who skip verification when downloading from trusted software repos, developers will also need to tighten up their act to avoid inadvertently introducing malware into applications.
The road to a cloud-based future now lies ahead and now that the big corporations are starting their migrations the time for test flights is growing short. We now know that there are vultures circling but they have always been there. For businesses preparing themselves for the cloud, the need for an established cloud provider with a commitment to security and a track record for excellence is paramount.