The abuse of cloud services extends beyond malicious insiders and potentially allows cyber criminals The ability to utilize such services for criminal gain.
There are multiple ways in which cloud services can be used for malicious purposes.
Resource Intensive Operations—Cracking Passwords
There is no question, that for the malicious actor their job is considerably easier if their intended victims use very simple passwords.
Remarkably, analysis from the breach of Adobe Systems found the most common password used was 123456,40 and was used by 1.9 million users.
Should the target not use a simple password, then the attacker will be faced with alternate means to crack a user password, which has become considerably easier (or rather cheaper) with cloud computing.
In particular, using the computing resources to undertake a brute force attack (repeatedly trying different passwords to find the right one), is made considerably more efficient with the cloud.
There have been many demonstrations highlighting the use of cloud computing to brute force passwords; in 2010, for example, German hacker Thomas Roth was reported41 to have used AWS to have cracked passwords encrypted within a Secure Hashing Algorithm Hash.
By using Amazon’s graphics processing unit (GPU) instances, Roth was able to crack hashes that contained passwords between one and six characters in 49 min, with the GPU instances costing $2.10 per hour at the time.
GPU instances are a product designed for high-performance computing jobs that Roth describes as “known to be the best hardware accelerator for cracking passwords.”
Other examples of brute-forcing passwords via cloud computing include wireless network passwords; for example, in 2009, the service known as WPA Cracker was reported42 to have checked a password against 135 million entries in 20 min for only $34.
Wireless network and SHA1 passwords are, however, only the tip of the iceberg.
There exist a multitude of services available offering computing resources for resource-intensive operations to brute force pass-words over a cloud service.
As we saw in the two earlier examples, some simply provide the core resources, but in other examples, dedicated companies are offering a simple GUI and SaaS service dedicated for the sole purpose of cracking passwords.
Some toolkits give the potential hacker an interface into cloud resources to use cloud services for brute-forcing passwords.
It is, however, worth noting that the use of commercial cloud services to crack passwords without authorization will breach the acceptable use policy for the provider.
Hosting Malicious Content
There are two elements regarding the hosting of malicious content
- Using providers that have no issues regarding any (or almost any) hosting malicious content.
- Using providers to host malicious content circumventing the CSP’s acceptable use policy.
The concept of using a provider that offers lenient acceptable use policies is known as BulletProof hosting.
Abuse of Cloud Services
Such services have been used by malicious actors (e.g., those hosting content such as pornography or sending spam) for some time.
However, the challenge of using such services is that they are often blacklisted by security providers and therefore the emerging trend for many malicious actors is to utilize commercial hosting services that are not blacklisted;
Subsequently then able to reach all intended victims without security tools blocking the sending domains.
This trend poses a challenge to commercial cloud providers as the implications of hosting malicious content could result in their operations being blacklisted, which will be to the detriment of existing customers, and ultimately impact profitability.
The challenge, of course, will be for the cloud provider to ensure the customer is not using services for malicious purposes;
This will be challenging because signing up is automated without the need to interact with any human operator, all that is required is a credit card.
Subsequently, providers will need to establish mechanisms to determine whether fraudulent activities are taking place, but according to John Rowell of Dimension Data,
There are service providers that…do not have adequate fraud measures in place, and they have to be losing insane amounts of money on it.
It’s got to have an immense impact on their profitability as well as just the health and cleanliness of their platform.
However, the challenge will be the level of scrutiny toward customer operations in the provisioned service; one of the biggest selling features for the use of cloud is its ease of use.
Indeed, many providers make establishing their services so simple that in many cases the IT Departments are not even aware (known as Shadow IT).
By adding more checks and oversight there is the potential for customers to not see the service as simple, and to migrate to providers that may not be as onerous in their oversight.
Therefore, a balance is necessary between fraud detection and ease of use.
Due Diligence To Prevent Abuse of Cloud Services
Migrating to the cloud is a simple and effective way to transfer existing workloads to an external party without the need to rush out and buy new hardware, install the operating system, hire administrators, etc.
Indeed, the cloud is one of the most effective mechanisms to outsource the work for an organization; however, sadly the risk cannot be outsourced so easily as the failure to undertake appropriate due diligence will leave the end customer liable.
In particular, where personally identifiable information (PII) is hosted, there will likely be data protection legislation that demands due diligence when using third parties to host such data. .
The intention may be to leverage certifications that the provider may boast to demonstrate security;
However, regulators in many countries across the world have dictated this to be insufficient. The UK Information Commissioners Office recently clarified this position:
“The Data Protection Act does not stop the overseas transfer of personal data, but it does require that it is protected adequately wherever it is located and whoever is processing it, this includes if it is being stored in the cloud outside of the UK.
While any scheme aimed at ensuring people’s information is adequately protected in line with an organization’s requirements under the Act is to be welcomed, organizations thinking of using CSPs must understand that they are still responsible for the safety of that data.
Just because their CSP is registered with such a scheme, does not absolve the organization who collected the data of their legal responsibilities
Due diligence is therefore quite imperative, and while the desire may be to adopt cloud computing just as quickly as the sign-up process allows, Abuse of Cloud Services
It is important to note the obligations to undertake a sufficient assessment of the risks associated with migrating to a third party whether in the cloud or not.
Conclusion
Criminals may use cloud computing to target their victims and use the cloud service against them. DDoS attacks, phishing attempts, email spam, digital currency “mining” are just some examples of misuse of cloud resources.
If an attacker is able to compromise a user’s cloud infrastructure, the business can face immense consequences.
Enterprises must monitor those who have access to the cloud and set up mitigations for any threats or risks.
Data loss prevention and disaster recovery plans can aide in the recovery process if abuse of cloud services should occur.
