The cloud is being used by organizations of all sizes as a way to lower costs and achieve a better return on investment. But it can also be leveraged by more malicious actors as a highly efficient platform from which to attack organizations of all sizes.
At the RSA security conference last week, Rob Ragan, senior security sssociate at Bishop Fox, explained how cloud services could be exploited in a session titled, “Cloud Ninja: Catch Me If You Can.”
“There are lots of cloud organizations that are willing to give away free computing power and storage space,” Ragan said. “So we got to thinking, what if we gather all these free services and try and build a botnet out off all the free computing power.”
Ragan said that he was in fact able to build a botnet using free trials from multiple cloud vendors without spending a penny. As he started to do the research, he noticed that he wasn’t the only one trying to use free cloud services for malicious purposes, which is where the “catch me if you can” piece comes into the equation.
“We realized that if attackers start to host more of their attack platform on free trials from cloud services, it will become an increasing challenge for organizations to block and defend,” Ragan said. “Organizations can’t just block an Amazon IP or Rackspace address ranges, which might also be used for legitimate purposes.”
Going a step further, Ragan said it is possible to automate the process of managing the free cloud services instances and then to leverage them for attacks or even just to mine Bitcoins.
Ragan stressed that his research was not about specific exploits or vulnerabilities, but rather about business logic and usage flaws that enabled him to build a botnet out of free services.
“We realized that a lot of these services were really only relying on email address confirmation to set up an account,” Ragan said. “We were actually able to build a framework that lets us automatically register and click the confirmation link with unlimited email address, which defeats the whole confirmation process.”
The whole system for setting up new email addresses and confirming them for cloud service registration is also cloud-based. Ragan said that the framework uses shared domain services and can use Google App Engine to process the email confirmation link automatically. The whole database that manages all the free cloud services in the botnet is hosted on a free MongoDB hosting platform.
Mitigations include authentication, confirmation
Ragan has a few suggestions for cloud vendors to limit the risks of their platform from being leveraged by an attacker for malicious purposes. At the top of Ragan’s list is the need for improved authentication and confirmation mechanisms for signing up new and free users.
An email confirmation alone is not enough. Having SMS, CAPTCHA and credit card-based verification can help limit the risk of automated account creation. Having techniques and technologies in place to detect fake or automated users should be a core part of cloud service platforms, in Ragan’s view.?
Ragan noted he also understands the business model imperatives.
“I think they (cloud providers) want as many users as quickly as possible, so they try and make it as easy as possible to sign up for a free trial,” Ragan said. “Finding the right balance and being aware of abuse is what we want to raise awareness on.”
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist