Malware is a fact of life today. And that shouldn’t change anytime soon.
Malware in the cloud adds another category to the worms, viruses, spyware and other malware the industry fights against every day. The phenomenon is not new ; it has been growing for more than a decade. The SpyEye banking trojan, for example, was hosted in Amazon Simple Storage Service buckets in 2011. Cloud security provider Netskope reported that 68% of all malware downloads came from cloud applications.
Let’s look at the types of cloud malware and how to defend against it.
Types of Malware in the Cloud
Any discussion of malware in the cloud should focus on two specific categories:
- malware that uses the cloud for delivery and communications (command and control); and
- malware that explicitly targets cloud assets and resources.
Modern malware takes root through cloud services in a variety of ways. First, many types of malware are hosted in cloud storage environments, either in dedicated services, such as Dropbox or Box, or in storage nodes within IaaS or PaaS clouds. These publicly exposed storage accounts, or nodes, are often located in well-known cloud service provider (CSP) environments to minimize the risk of content filtering software blocking the hosting domain. Ransomware, in particular, is often cited as a cloud-hosted threat.
Second, many malware variants host their command and control infrastructure in the cloud, as most organizations do not explicitly block traffic to AWS, Azure, Google Cloud Platform, and other major CSPs.
Third, certain types of malware can be used in DDoS campaigns, where cloud-hosted systems under an attacker’s control are then used to send large amounts of traffic to victims. These attacks can also be the result of compromised systems in cloud tenant accounts.
At the same time, new malware variants are targeting cloud services and workloads. Among the best known are cryptocurrency miners that target cloud-based virtual machines and container workloads. These types of malware analyze exposed APIs to determine if any of them can be exploited to enable installation and execution on workloads. Once this is accomplished, the attackers mine the cryptocurrency for profit.
Trend Micro reported that a variety of coordinated attack groups compromise exposed cloud assets and services and then mine cryptocurrency using techniques such as SSH brute forcing, remote mining of vulnerable services and issuing commands via exposed APIs.
Other cloud-focused malware includes embedding malicious files into virtual machine templates for continuous propagation and persistence – a technique seen numerous times with cryptomining attacking group TeamTNT. Another common cloud malware involves attacks via compromised plugins and modules on cloud provider marketplaces – a technique that can be used to steal data from SaaS deployments or embedded in PaaS and IaaS accounts. Countless variations of these attacks exist.
How to Fight Malware in the Cloud
Fortunately, malware in the cloud can be detected and prevented. Organizations must do the following:
- Encrypt all data stored in the cloud. This helps prevent data exposure or compromise when cloud-based malware targets accounts and workloads.
- Require strong authentication on all cloud user accounts. Strong passwords and multi-factor authentication help prevent cloud accounts from being compromised by malware campaigns.
- Back up workloads and cloud data. Ideally, workload images and datastores are backed up and replicated to a separate account or subscription, if possible. This helps to mitigate a wide variety of cloud-based malware techniques.
- Implement network and identity-based isolation and segmentation. A number of cloud-oriented segmentation tactics are available; organizations should minimize the attackable surface within a specific account or subnet as much as possible.
- Implement network behavioral monitoring tools and services. All major IaaS clouds offer network flow data to tenants. This information can be aggregated and analyzed to spot indicators of lateral movement and command and control traffic.
- Use cloud provider detection tools and technologies. In addition to logging events and sending that data to a central analytics platform, some CSPs offer malware detection technology that can reveal indicators of malware infection or behavior. For example, Microsoft offers malware detection features in a number of its Microsoft 365 services.
While malware in the cloud is likely to remain for the foreseeable future, there’s good news: we’re constantly getting better at fighting it.