Even Ethical Hackers Abuse Cloud ServicesCreating Cloud-Hosted Attack Infrastructures a Common Practice, Academic Researchers Find
Many ethical hackers and other security professionals, such as penetration testers, have weaponized cloud platforms to host online attack infrastructure or have used these platforms to conduct reconnaissance, according to security researchers at Texas Tech University.
In their paper, "Cloud as an Attack Platform," the five researchers say they interviewed 75 ethical hackers and penetration testing experts. The findings: About nine out of 10 admitted to bypassing current cloud security features to set up virtual private servers on infrastructure-as-a-service cloud models for performing reconnaissance, scanning and gaining access to a target and launching an exploit.
Many of those interviewed noted they were exploiting the cloud infrastructure to host phishing sites or launch distributed denial-of-service and brute-force attacks, the researchers note in an accompanying paper.
Although the issue of weak security was prevalent across multiple cloud platforms, the researchers note that free cloud resources and services are the most abused.
"This is due to its attractiveness in being free and recording no identify information; attackers are more eager to utilize these services and launch attacks and yet remain stealth," says Akbar Namin, an associate professor at Texas Tech University.
Paid cloud platforms were less commonly used by ethical hackers because these services have stronger verification processes. "For the paid ones, since the identity of the users are already recorded, the paid users are less likely to abuse the cloud," Namin tells Information Security Media Group.
The researchers warn that malicious attacks using the cloud are likely to surge as more organizations move their operations online. According to a recent study by security firm Trustwave, cloud services remained the third most targeted environment in 2019, accounting for 20% of the total cyberthreats.
The Steps Involved
The Texas Tech study found that ethical hackers abusing the cloud platform often begin their operations by setting up a virtual private servers or multihop VPNs.
Those interviewed described how they encrypt the communication channels in the virtual machines to stay under the radar, the study notes. In the next step, the cybersecurity professionals load the VMs with security tools such as NMap, Metasploit, and Wireshark to conduct offensive operations.
"By running all these tools using the computing resources of the VM on the cloud, attackers could craft and launch a SQL-injection attack, or propagate malware or run malicious scripts on a target machine, or even install software like a keylogger on the target machine to obtain credentials," the authors of the study note.
The report notes that experienced security professionals were able to bypass the advanced security protocols in certain cloud platforms, including Amazon Web Services and Google Cloud Platform, to set up attacks infrastructures.
"The Google Cloud Platform has adequate tracking methods to monitor if any of the VMs are running any suspicious processes to circumvent the resources or network quota," the report says. "AWS has GuardDuty to trace malicious activities on the cloud, alongside Amazon Security Inspector to perform security assessment. However, from our participants’ data, we learned that attackers are erudite enough to evade the prevailing security measures on the cloud."
Based on their findings, the researchers recommend that cloud service providers take several steps to prevent exploitation of their platforms:
- Implement preventive measures: One common way in which attackers can set up a cloud account is by using stolen credit card details. In order to prevent the misuse of anonymous cloud account services, service providers can use multifactor authentication to verify the user.
- Track VPN usage: Because the use of multihop VPNs requires significant bandwidth, tracking network usage and monitoring when certain VMs start to exhaust the network quota can help to detect suspicious accounts. The researchers recommend enforcing downloading of software tools from a trusted repository to help prevent the use of offensive tools in cloud platforms.
- Improve detection: Public cloud providers should deploy virtual hard drives to help identify suspicious accounts.
- Enhance recovery: Using automated anomaly detection tools, blocking malicious traffic and isolating VMs help ensure enhanced recovery.