Hackers are getting smarter, picking away at different public cloud’s architecture in an effort to find unique vulnerabilities in infrastructure hosted by companies like Amazon Web Services and Microsoft Azure.
The fruits of such labor are clearly evident in new research from security firm Rapid7 Inc. It shows, for example, that almost a quarter of customer nodes deployed on IBM Corp.’s SoftLayer cloud expose database services like MySQL and SQL Server directly to the Internet, putting both the organization and its customers at risk. In addition, the research found the vast majority of customer devices on Digital Ocean’s and Google’s clouds expose shell services using Internet protocols such as SSH and Telnet. The latter of those was critical in last month’s DDoS attacks that took out Dyn Inc., the managed domain name provider.
Companies that use public clouds are also probed by hackers on a frequent basis. One popular tactic is to use common vulnerabilities such as ShellShock to compromise remote desktops sessions, the report found.
The report is the culmination of a classic “honeytrap” project initiated by Rapid7, which is designed to identify what attackers, researchers and organizations are doing in, across and against cloud environments. Rapid7 carried out its research by deploying dummy machines which are designed to observe how hackers carry out their attacks. Rapid7 previously used these “honeypot devices” to develop a Big Data-based security approach under its Project Sonar, and is now working with AWS and Microsoft under the Project Heisenberg initiative to try to profile attacks against public cloud customers.
Project Sonar scanned millions of IPv4 HTTPS web servers for details about digital certificates used, in order to detect whether any of them were compromised. Project Heisenberg uses the same approach in thepublic cloud.
One of the main questions Project Heisenberg was seeking to answer was whether or not attackers employ a “scattergun” approach or tailor their attack methods for each public cloud and customer. The evidence overwhelmingly points in favor of the latter, showing that attackers are refining their attack techniques for customer profiles linked to specific cloud providers.
A second aspect of the research looked at whether AWS, Azure, Digital Ocean, Google, Rackspace and SoftLayer cloud users had introduced new security risks by exposing services to the web, for example Windows, databases, email services, shell and web services.
“While most cloud user populations rely on these services for web hosting, the kinds of services exposed by each cloud provider’s user populations are varied according to the provider,” Rapid7 said. “These differences are being tested and exploited today by a range of adversaries who are clearly aware of these differences.” via