Oh how we love the public cloud—with its ability to quickly spin up services and grow compute rapidly to meet our customers’ demands. What an amazing opportunity for our organization. We also love Software as a Service (SaaS) with its ease of use and ability to access applications anywhere at any time from most any device. What is there not to love? Unfortunately, our nemeses are as enamored as we are. The wonderful attributes that make these services so attractive to us are equally attractive to cybercriminals.
Just a few weeks ago, researchers at Intel Security uncovered ransomware attacks hosted in the public cloud. These files could have been the payload of a ransomware attack—the crypto malware where an infected URL is directed, that would then be downloaded and installed on the user’s machine, locking it from usage. Or perhaps these files were part of a ransomware service, where cybercriminals are sharing malware from the cloud to further distribute them.
Utilizing cloud Platform-as-as-Service (PaaS) and Infrastructure-as-a-Service (IaaS) offerings in this way is reminiscent of using internet cafés or open Wi-Fi connections to distribute attacks. It is much more cost effective and less traceable for the perpetrator to leverage someone else’s resources. This is a pattern we have seen before. Think back to how spammers leveraged the emerging internet, rapidly creating thousands of domains and thousands of email accounts as spambots. They would “pump and dump” millions of messages, until those domains and email accounts’ reputation was ruined. Then, they would move on and do it all over again. This “turn and burn” happens with IP addresses, URLs, and domains purchased through services and used to host malicious payloads from the web or network.
It only makes sense why these threat actors do not want to expend money and time to create their own environments—it’s much more profitable this way. Why use any of their own infrastructure when they can utilize one of the public cloud vendors to host for them? Not to mention the joy they receive leveraging the global footprint of the cloud providers.
I expect to see PaaS and IaaS utilized more and more by bad actors as they fall in love as we have. With the ability to propagate files so easily, cloud vendors are going to have to be increasingly vigilant to monitor and protect against malicious usage of their services. As the larger cloud service providers (CSPs) start to monitor this activity, smaller CSPs may become more attractive to the cybercriminals. Intel Security will be on the lookout, as should CSPs, for the following activity on cloud services:
- Hosting of pump-and-dump payloads, malicious websites, and hacker data collection on public cloud services, mostly paid with bitcoin
- Randomized activity, using different data center locations around the world
- Distribution of malware using cloud services, utilizing the service APIs to distribute to the service’s massive user communities
- Creation and hosting of malicious services such as ransomware as a service where cybercriminals can purchase malware as needed to attack organizations
- Utilization of global cloud infrastructures to target specific regions where certain providers and IPs may be more trusted
- Identical services being created with many different providers
- A service being run from multiple cloud vendors to perform a large-scale attack
- Use of services to both test protection and distribute attacks, which is becoming more prevalent in storage services, web hosting services, and email services
So what can you, as a fellow cloud lover, do about this? First and foremost, protect your IaaS and SaaS credentials so your accounts are not hijacked and used for bad things. Next, don’t just trust something because it came from a known cloud provider—use the same common-sense approach to protect your organization from unexpected behavior. Last, monitor your services and watch for nonconforming activity.