Cyber-Thieves Aim At Cloud And Virtualised Servers


Cyber-criminals are attacking virtualised data centre systems and targeting cloud environments

Cyber-criminals are simultaneously taking advantage of the cloud’s benefits to launch attacks as well as targeting organisations’ cloud services, security experts said.

As organisations increasingly virtualise their data centres and move their applications to the cloud, attackers are beginning to think, “Let’s attack here”, Allen Vance, director of product management of the data and applications security group at Dell SecureWorks, told attendees at Cloud Expo.

Weigh Up The Security Angles

Organisations have to put in measures to handle threats to their virtualised environments when considering a cloud deployment because the environment amplifies the risks, Vance said. Cloud Expo is running from June 6 to June 9 in New York.

“We are in the middle of a war,” Terry Woloszyn, CTO of PerspecSys, told attendees in a different session on cloud security. He comparing the current security climate to an “arms race” as cyber-attackers are continuously developing new attack vectors and modifying existing threats, leaving vendors and businesses to play catch-up.

Nowhere is this more evident than the recent game of whack-a-mole Apple has been playing with malware developers behind the fake MacDefender antivirus scam and its many variants over the past few weeks.

A new MacDefender variant appeared within 24 hours after Apple released a security update on June 1 that included the malware definition in the Mac OS X File Quarantine list. After Apple updated definition files to cover the new variant on June 2, yet another one popped up that bypassed the quarantine hours later.

Vulnerabilities reported in virtualised technologies have “nearly doubled” between 2008 and 2010, according to data compiled by Dell SecureWorks Threat Intelligence and Intrusion, Vance said. Dell SecureWorks found that security “events” detecting attacks against virtual environments increased by more than 500 percent over the same period.

Hyper-Escalation Threats

Cyber-attackers can try to steal credentials related to cloud providers, such as the organisation’s username and password for Amazon Web Services and the certification and private key used, Dell’s Vance said. Malware is increasingly sophisticated enough to exploit vulnerabilities and use hyper-escalation to compromise cloud platforms, Vance said.

Hyper-escalation refers to what happens when malware exploits a vulnerability in the hypervisor to break out of the virtual machine and gain root privileges on the actual server hardware. This would give attackers complete control over all the other virtual machines running on that machine, a serious threat in a multi-tenancy environment. When organisations are sharing network infrastructure, databases, data storage and computing resources, risks are aggregated, Vance said.

It is not just “script kiddies” that are breaking in to networks and writing malicious code, according to Woloszyn. Attacks are originating from “sophisticated nation-states with cyber-commands” as well as from organised crime. Cyber-attackers are using “strategic multi-pronged” attacks, such as compromising RSA Security first, and then using the stolen data to break into defence contractor Lockheed Martin, according to Woloszyn.

Stuxnet was a “cyber cruise missile”, which was “stunning” in the way it targeted highly specialised systems, according to Woloszyn. “Who’s to say the next targeted attack won’t be against the cloud?” Woloszyn asked attendees.

Another threat against cloud services are in the APIs used to connect applications and services, according to Dell’s Vance. There are “thousands” of Web-based APIs, and ten to 15 new ones are being created each day. If they are not built or implemented correctly, organisations are vulnerable to man-in-the-middle campaigns, identity spoofing, accidental leakage of confidential data, and even denial of service attacks.

Forensic Analysis Problems

In the event of a breach, forensic analysis is also more difficult in the cloud, Dell’s Vance said. The fact that the environment is maintained by a third party may actually slow down initial incident response as well as the time required to remediate vulnerabilities. One reason for the delay may be because the cloud provider’s first priority is often in making sure other customers are unaffected.

Both Vance and Woloszyn noted that cloud environments are vulnerable to malicious insiders, who may decide to abuse their privileges.

Vance emphasised the importance of organisations monitoring cloud logs. Just because they are giving up operational control did not mean IT departments could not monitor the host, the guest virtual machines and other security services.

Woloszyn said organisations should also consider implementing a zero-trust environment in the cloud so that only the exact information the user needs is revealed and nothing else. Layers of access, where some people have higher levels of trust than others and only anomalies are tracked, means attackers just have to figure out a way to escalate privileges to gain unfettered access to data.

Traditional security techniques have limited effect in the cloud, Vance said, noting that organisations need to look at “old problems” and consider them in a new context.

Read also :