Malware found on Amazon and Google cloud services
In-depth study claims that major business cloud providers are rife with malware - but what does this mean in practice, and how worried should we be?
A new study has found considerable amounts of malware lurking in the cloud, including examples on Amazon and Google, as well as a key misconfiguration on Amazon S3.
The researchers claim the work is “the first systematic study on the abuses of cloud repositories on the legitimate cloud platforms as a malicious service”, and involved building a scanner that detected over 600 bad repositories (Bar) on leading cloud platforms like Amazon, Google, and 150,000 sites, including popular ones like groupon.com, using them.
The overall cloud adoption rate by enterprise in the UK today stands at 84 per cent, with almost four in five (78 per cent) of cloud users having formally adopted two or more services, according to the Cloud Industry Forum.
Because much of the data in the cloud is obfuscated, traditional malware scanning is difficult or impossible, and the researchers noted that in many cases otherwise innocuous code stored across multiple buckets could be assembled into attack tools, further hindering detection. Unsurprisingly, there were a range of usage types, from criminals simply opening a cloud account and hosting their software on it, to more sophisticated schemes where malicious content was hidden in the cloud-based domains of well-known brands. This intermingling of bad content with good content on trusted domains meant that blacklisting the malware wasn’t possible.
“The emergence of using cloud repositories as a malicious service presents a new challenge to web security. This new threat, however, has not been extensively studied and little is known about its scope and magnitude and the techniques the adversary employs”, said the researchers in their technical paper.
The heart of the research was identifying a series of topological, content and network features that specifically mark out malicious cloud buckets. One example from the paper being the regular use of ‘gatekeeper’ nodes: “the redirection infrastructure leading to a Bar tends to include the features for protecting the Bar from being detected by web scanners, presumably due to the fact that the repository is often considered to be a valuable asset for the adversary. Specifically, we found that typically, there are a few gatekeeper nodes sitting in front of a Bar, serving as an intermediary to proxy the attempts to get resources from the Bar.”
These features were then used to detect potentially compromised Bars across a wide range of top websites and hosting providers, with concerning results.
One of the reasons behind these figures was an access policy misconfiguration, which leaves Amazon S3 buckets vulnerable by default. Although it is possible to configure the access policies to defines which AWS accounts or groups are granted access and the type of access (i.e., list, upload/modify, delete and download), “By default, the policy is not in place, and in this case, the cloud only checks whether the authorization key (i.e., access key and secret key) belongs to an S3 user, not the authorized party for this specific bucket…”
Unsurprisingly, the flaw has been exploited by attackers on some high-profile sites, the researchers found: “We found that in some cases, the attack has been there for six years. Particularly the Amazon bucket s3.amazonaws.com_groupon, Groupon’s official bucket, was apparently compromised five times between 2012 and 2015.”
Many of the cloud platforms studied have active bug bounty programs, which you might have expected to pick up a misconfiguration such as this. However, new research from High-Tech Bridge found that 9/10 companies with public or private bug bounty programs have at least two high or critical risk vulnerabilities detected in less than three days of professional auditing, and missed by the crowd due to detection and exploitation complexity.
The high level moral of the story? Never trust a default configuration!