Cloud computing services are commonly used in cyberattacks, often to host a malicious payload which a victim is duped into clicking and downlading malware. But two researchers have shown that the cloud can harbour something even more alarming for cloud security - “legal zombies”, ready to rob the internet of gold.
Using free cloud application hosting can allow an attacker to create a “free supercomputer” according to The Register's report - used to mine cryptocurrency, researcher Oscar Salazar warns but also capable of mounting direct attacks - and he predicts cybercriminals will soon use this method, according to Tech Week Europe.
Salazar’s attack relies on application-hosting services - many of which have highly lax sign-up procedures, Wired reported. Armed with a self-made list of fake email addresses, he was able to create a host of accounts in the cloud, despite cloud security measures.
With days the two researchers had legally created an army of 1,000 non-existent “customers” on sites offering cloud application services - and used this horde to mine cryptocurrency. At full power, the botnet earned $1,750 a week “on someone else’s electricity bill”, Ragan said.
Cloud security - undead allowed in, no questions asked
“We essentially built a supercomputer for free,” Ragan said. He, along with Salazar works as a researcher for the security consultancy Bishop Fox. “We’re definitely going to see more malicious activity coming out of these services.”
Salazar and Ragar declined to reveal which of the 150 companies they tested allowed them entry - to prevent hackers following in their footsteps - but said that in some cases, the mining process was allowed to continue for weeks.
“What happens when computer criminals start using friendly cloud services for malicious activities? In this presentation, we explore how to (ab)use free trials to get access to vast amounts of computing power, storage, and pre-made hacking environments. Oh! Also, we violate the hell out of some terms of service.”
No CAPTCHAS, no questions - is this cloud security?
“A lot of these companies are startups trying to get as many users as quickly as possible,” says Salazar. “They’re not really thinking about defending against these kinds of attacks.”
Worryingly, some of these companies use cloud services resold from Amazon - which may make mitigating certain forms of cyberattack more difficult.
“Imagine a distributed denial-of-service attack where the incoming IP addresses are all from Google and Amazon,” Ragan said. “That becomes a challenge. You can’t blacklist that whole IP range.”
The Register reports that the researchers admit that the technique ‘violates’ a lot of terms-of-service - and hence, the bots were cullled mercilessly after the experiment.