Lack of abuse detection allows cloud computing instances to be used like botnets, study says

Some cloud providers don't detect attacks launched from their networks, researchers say

Some cloud providers fail to detect and block malicious traffic originating from their networks, which provides cybercriminals with an opportunity to launch attacks in a botnet-like fashion, according to a report from Australian security consultancy firm Stratsec.

Researchers from Stratsec, a subsidiary of British defense and aerospace giant BAE Systems, reached this conclusion after performing a series of experiments on the infrastructure of five "common," but unnamed, cloud providers.

The experiments involved sending different types of malicious traffic from remotely controlled cloud instances (virtual machines) to a number of test servers running common services such as HTTP, FTP and SMTP.

In one test case, services running on a targeted server were accessible from the Internet, but the server was located in a typical network environment, behind a firewall and an IDS (intrusion detection system). The goal of this particular test was to see how the cloud provider would respond to the presence of outbound malicious traffic originating from its network.

In a different experiment, the targeted test server was set up inside a separate cloud instance from the same provider in order to test if the provider would detect malicious traffic sent over its own internal network.

A third experiment involved the targeted server running inside a cloud instance at a different cloud provider in order to test how that provider would deal with incoming malicious traffic.

The experiments involved sending malformed network packets and performing aggressive port scanning; sending malware to the victim host via a reverse shell; performing a denial of service attack against a Web server running on the targeted host, performing a brute-force FTP password cracking attack; launching SQL injection, cross-site scripting, path traversal and other attacks against popular Web applications running on the targeted host; and sending known exploit payloads to various services running on the host.

In one experiment, some types of malicious activity, like port scanning, were executed for 48 hours in order to see if a large traffic volume and longer attack duration would trigger a response from the cloud provider.

"The results of the experiment showed that no connections were reset or terminated when transmitting inbound and outbound malicious traffic, no alerts were raised to the owner of the accounts, and no restrictions were placed on the Cloud instances," Stratsec senior consultant Pedram Hayati said Monday in a blog post.

Based on these results, Hayati concluded that cybercriminals could easily create and use botnets that run on cloud instances.

Such botnets would be relatively easy to set up and administer if one learns the cloud provider's API (application programming interface), would take less time to build than traditional botnets because replicating cloud instances can be done very fast, would be more stable because cloud instances have a very good uptime, would be more effective because of the increased computing power and bandwidth available to the cloud instances and wouldn't cost much, Hayati said.

"Based on our experiment, with the budget of as low as $7 and minimum hardware specification, it is possible to set up a botCloud with tens to hundreds of Cloud instances," the Stratsec consultant said. "We define 'botCloud' as a group of Cloud instances that are commanded and controlled by a malicious entity to initiate cyber-security attacks."

However, there are also disadvantages to operating such a botnet. For example, this type of botnet is probably not very resilient to takedown efforts, because cloud providers will likely shut down the offending cloud instances down once they receive an abuse notification from security researchers or victims.

"Computing is becoming cheaper and cheaper and for something like $10 one can buy enough computing power to take down a small website for a few hours," Costin Raiu, director of the Global Research & Analysis Team at antivirus vendor Kaspersky Lab, said Tuesday via email. "However, it's also important to say that 'traditional' methods of infecting users with trojans are probably even cheaper and much more resilient to takedowns."

"It takes a lot of time to find a user which is infected by something like a bot from the Pandora DDoS family and convince him to clean his PC," Raiu said. "Such infections can last for weeks or for months - making them a lot cheaper than cloud computing solutions."

That said, cloud platforms can definitely be useful to launch vulnerability scans that can be followed or complemented by other attacks executed with the help of traditional botnets, Raiu said. "I believe that cloud providers should definitely look a bit more into improving the security of their configs."

"The experiment suggests that providers BAE looked at may not be prioritizing monitoring for malicious traffic and the sound implementation of security measures that you'd expect to be implemented on a corporate network," David Harley, a senior research fellow at antivirus vendor ESET, said Tuesday via email. "I can't comment on how typical these providers were. However, when and where cloud providers do implement such countermeasures, the overheads for developing a resilient malicious network are likely to increase sharply."

When making the switch to cloud computing, organizations should search for cloud providers that use high-end firewalls and intrusion detection systems and which undertake regular independent security tests of their environments, Hayati said. "Do not get tempted with ease of use and cheap cost."

In addition, companies should not treat traffic that is coming from public cloud providers as safe, he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags firewallsonline safetystratsecBAE Systemscloud computingesetinternetmalwarekaspersky labDetection / preventionintrusionsecurity

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts