Cybercriminals using hijacked Cloud hosting accounts for targeted attacks
US Cloud hosting providers are constantly targeted by cyber crime according the revelations of two malware researchers Mary Landesman, a senior security researcher at Cisco Systems, and Dave Monnier security expert at Team Cymru explained during the 2013 Gartner Security and Risk Management Summit.

The hackers are exploiting with a meaningful increase these architecture to organize financially motivated attacks.
Landesman and Monnier explained in two distinct sessions that cyber criminals are exploiting US cloud hosting providers to deploy Command and Control servers for their malicious activities despite the great effort in monitoring activities operated by hosting cloud providers.

US is one of privileged countries to host malicious architecture due high availability of its infrastructures and cyber criminals know it.
"You can move your command and control servers to Kazakhstan, but that's not a very good business decision," "The U.S. has redundant power, high availability and great peering; these are things all these guys are looking for." Monnier declared.

Cyber criminals exploit compromised hosting account on cloud infrastructures or they set up accounts to conduct fraudulent activities. The acquisition of fraudulent accounts is done using a stolen digital identity and payments are executed with stolen credit card or using compromised payment services accounts.

The criminals are using the cloud architectures for various fraudulent activities such as the arrangement of Distributed Denial of Service, botnet management, watering hole attacks and phishing campaign.

Last edition of its APWG Global Phishing Survey report revealed that Fishers, exactly as other type of cyber criminals, appear active as never before breaking into cloud hosting providers with unprecedented success and abusing of their resources to conduct large scale phishing attacks.

"APWG Global Phishing Survey report states that the number of phishing attacks that targeted shared Web hosting represented 47% of overall phishing attacks, attackers registered principal sub domains than regular domain names.

The technique adopted by attackers appears very efficient, they hack shared Web hosting server and update its configuration so that phishing pages are displayed from a particular sub directory of each domain hosted on the server, in this way compromising a single shared hosting server, it is possible to exploit hundreds or even thousands of websites at a time for the attacks." Reported Pierluigi Paganini in a blog post on Security Affairs.

The methods of attacks is exploited also to compromise cloud hosting providers, the hack of a single account could allow the control of various servers and all the web sited deployed on them.

"We need hosting providers to ensure the integrity of all their Web servers continually," Landesman declared.

Landesman has explained the scheme of attack adopted for Darkleech campaign that compromised nearly 20,000 legitimate websites that use Apache HTTP server software to launch drive-by malware attacks against visitors.

"Thousands of Web servers across the globe running Apache 2.2.2 and above are infected with an SSHD backdoor that allows remote attackers to upload and configure malicious Apache modules," "These modules are then used to turn hosted sites into attack sites, dynamically injecting iFrames in real-time, only at the moment of visit." declared Mary Landesman

The attackers are improving the techniques of attacks making large use of obfuscation techniques and testing with care their security avoidance mechanisms making hard the detection of malicious activities.

Another massive attacks have been observer during the last months, in March a new version of the threat called Linux/Cdorked malware was discovered attacking Apache installations meanwhile, a massive brute-force attack campaign dubbed Gumblar targeted WordPress accounts to gather admin credentials.

The trend is very concerning, in the next moths cloud infrastructures, social networks and mobile platforms will suffer a growing number of attacks, cyber criminals with a reasonable effort will be able to target wide audience and principal providers are located in the Western Regions for the above reasons.
Knowledge of these trends is essential to prevent future accidents.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.