Attackers probe Google Cloud, AWS, Microsoft Azure customers for weaknesses

Attackers are tailoring attacks for machines hosted on different cloud providers, according to new research.

Hackers ply every angle possible to turn up a software flaw on desktops and new research shows they’re also looking for unique differences in the way organizations configure services deployed on public cloud infrastructure, such as Amazon Web Services and Microsoft’s Azure.

Research by security firm Rapid7 found that nearly a quarter of customer nodes or connection points deployed on IBM's SoftLayer expose database services such as MySQL & SQL Server directly to the internet, posing privacy and security risks to the organization and its clients.

It also found the vast majority of customer devices on Digital Ocean and and Google's cloud expose shell services using Internet protocols, such as SSH and Telnet, the latter being key to the recent DDoS attacks against managed domain name service provider, Dyn.

Organizations using public clouds are also frequently probed by hackers who use well-known flaws like ShellShock and other bugs to compromise remote desktop sessions, it found.

Rapid7 has been exploring what cloud attacks look like and whether attackers are taking a scattergun approach or tailoring them to exploit patterns particular to customers of each provider. The evidence suggests that attackers are refining techniques for customer profiles linked to certain cloud providers.

The research looked at whether customers of AWS, Microsoft Azure, Digital Ocean, Google Cloud, Rackspace, and IBM SoftLayer introduced new security risks by exposing services to the internet, such as Windows, a database, mail servers, and shell or web services.

“While most cloud user populations rely on these services for web hosting, the kinds of services exposed by each cloud provider’s user populations are varied according to the provider. These differences are being tested and exploited today by a range of adversaries who are clearly aware of these differences,” said the firm.

The research was conducted by deploying dummy machines, or honeypot devices, that are used purely to observe how attackers conduct their work. Rapid7 used these to pioneer a big-data approach to security research under Project Sonar, and has since teamed up with Microsoft and Amazon for Project Heisenberg to profile attacks against customers that rent computing power public cloud providers.

Rapid7 deployed Heisenberg honeypots in every geographical zone offered by Amazon’s AWS, Microsoft Azure, Digital Ocean, Rackspace, Google Cloud and IBM’s SoftLayer.

Project Sonar scanned millions of IPv4 HTTPS web servers for details about digital certificates they used to detect whether any of the certificates had bee compromised. Project Heisenberg takes the same approach to the cloud.

While the Heisenberg Project’s research do show differences in how attackers are looking at customers across different clouds, they only reveal potential weaknesses in how customers choose to secure their information given the choices they’re offered by public cloud providers rather than any inherent weakness in the service offered by each provider .

“Each cloud provider attracts different types of customers and cloud providers — along with the open source community — provide many guides for how to deploy various types of services,” Bob Rudis, chief security data scientist at Rapid7, told CSO Australia in an email response.

“Furthermore, there are different types and levels of automation in each cloud provider and there are definitely services that each cloud provider emphasizes in different ways.”

Another source of unseen security vulnerabilities in the cloud could be configuration profiles suggested by each provider.

“Amazon or Google either offer managed database services — such as MySQL RDS — which they encourage (via suggested configuration profiles) be used from private cloud network addresses. Other clouds, such as SoftLayer, are purpose-built to make it very easy for customers to deploy a wide range of databases per the deployment choices for each organization,” said Rudis.

“Ultimately, the responsibility for security is up to the organizations deploying services to the cloud and there could be varying levels of exposure over time in each cloud.”

Details about Rapid7's pubic cloud research can be found here.

Tags microsoft azurerackspaceDDoS attacksAWSGoogle CloudRapid7CSO AustraliaShellshockIBM's SoftLayer

Show Comments