Pierluigi Paganini June 14, 2013

US Cloud hosting providers are chosen with increasing frequency as privileged targets of cybercrime, these platforms are ideal for the launch of cyber attacks financially motivated.

Cloud hosting providers are becoming privileged targets of cybercrime, two malware researchers revealed in fact the number of cyber attacks financially motivated against those platforms is increasing.

Mary Landesman, a senior security researcher at Cisco Systems, and Dave Monnier security expert at Team Cymru explained during the 2013 Gartner Security and Risk Management Summit that cybercriminals are exploiting US cloud hosting providers to deploy Command and Control servers for their malicious activities.

Despite principal hosting cloud providers monitor carefully for abuse of accounts and infrastructures the phenomena are in constant growth especially in US. US is one of privileged countries to host malicious architecture due high availability of its infrastructures.

“You can move your command and control servers to Kazakhstan, but that’s not a very good business decision,” “The U.S. has redundant power, high availability and great peering; these are things all these guys are looking for.” Monnier declared.

Cyber criminals exploit compromised hosting account on cloud infrastructures or they set up accounts to conduct fraudulent activities. The acquisition of fraudulent accounts is done using a stolen digital identity and payments are executed with stolen credit card or using compromised payment services accounts.

Both researchers highlighted the meaningful increase of number and magnitude for Distributed Denial of Service attacks that reveal the capability of cybercriminals to control more infrastructure hosted by cloud hosting providers.

Recently APWG issued the new edition of its APWG Global Phishing Survey report that identifies trends and their significance by quantifying the scope of the global phishing problem.

Fishers, exactly as other type of cyber criminals, appear active as never before breaking into cloud hosting providers with unprecedented success and abusing of their resources to conduct large scale phishing attacks.

APWG Global Phishing Survey report states that the number of phishing attacks that targeted shared Web hosting represented 47% of overall phishing attacks, attackers registered principal subdomains than regular domain names.

The technique adopted by attackers appears very efficient, they hack shared Web hosting server and update its configuration so that phishing pages are displayed from a particular subdirectory of each domain hosted on the server, in this way compromising a single shared hosting server, it is possible to exploit hundreds or even thousands of websites at a time for the attacks.

Adapting the same methods to cloud hosting providers, each compromised or fraudulent account could manage dozens of sites.

Compromising an account is possible to control one or more servers associated and each served typically host more than a single website. Compromised websites could than be used to conduct an attack against specific targets or could be used to implement watering hole schema of attacks to spread malicious agents.

“We need hosting providers to ensure the integrity of all their Web servers continually,” Landesman declared.

Once again Landesman has explained the scheme of attack adopted in a campaign dubbed Darkleech,” an estimated 20,000 legitimate websites that use Apache HTTP server software have been compromised to be used to launch drive-by malware attacks against visitors.

“Thousands of Web servers across the globe running Apache 2.2.2 and above are infected with an SSHD backdoor that allows remote attackers to upload and configure malicious Apache modules,” “These modules are then used to turn hosted sites into attack sites, dynamically injecting iFrames in real-time, only at the moment of visit.” declared  Mary Landesman

The attackers are improving the techniques of attacks making even more difficult the detection of malicious activities, in March a new version of the threat called Linux/Cdorked malware was discovered attacking Apache installations.

Another massive attack that was conducted exploiting the cloud hosting providers is the Gumblar attacks, a massive brute-force attack campaign that targeted WordPress accounts to gather admin credentials.

The trend is very concerning, in the next moths cloud infrastructures, social networks and mobile platforms will suffer a growing number of attacks, cyber criminals with a reasonable effort will be able to target wide audience and principal providers are located in the Western Regions for the above reasons.

Knowledge of these trends is essential to prevent future accidents.

Pierluigi Paganini

(Security Affairs – Cloud, Cybercrime)