The cloud continues to provide huge opportunities to organizations, offering flexibility, economy and processing power on demand. However, it can offer bad actors the exact same facilities and opportunities, presenting additional defensive challenges for cybersecurity teams.
It’s hard to believe that cloud services are only about 20 years old: AWS, for example, was launched in March 2006. Today, cloud is ubiquitous; according to one report, the cloud services market was worth a little over $500 million in 2023 and is likely to grow at an average of 16.6% per year, hitting $2.5 trillion by 2031.
Cloud has grown so markedly because of the benefits it offers to organizations. Key among these is cost-effectiveness and the simplicity by which services can be accessed, used and deployed. Added to this is the fact there is often no up-front capital outlay required for many “pay-by-use” services. Combined, these factors make cloud platforms ideal for testing, prototyping and coping with short-term or unpredictable spikes in system demand. For example, it can be straightforward to run up a no-risk proof-of-concept project to test out a new idea, and when an idea has shown itself to be useful it can be productionised and scaled as its popularity and usage grows.
The downside of the cloud, though, is that the simple, easy-to-use platforms are there for bad actors conducting cyber attacks to potentially leverage as well.
Leveraging the Power of the Cloud
To be clear, cloud providers work hard to ensure that these platforms are not being used for nefarious activities, but it can be difficult to determine this before a system set up by a bad actor has actually started running and performed activities long enough for monitoring systems to spot what is happening.
The sheer scale of global cloud services makes them an attractive option for attackers who want to perform Distributed Denial of Service (DDoS) attacks. A classic example is the 2018 DDoS attack on Gitub, where traffic levels well over one terabit per second – over 100 million packets per second – were hitting the victim’s servers, with cloud-based resources playing a key part in generating the offending traffic.
DDoS attacks are designed to inconvenience victims, but they don’t make money for the attackers in the same way, say, a ransomware attack would. There are, however, plenty of ways for bad actors to monetise their nefarious acts. Take for example, a cryptojacking attack on car maker Tesla in 2018: the purpose of the attack was to enable the intruders to exploit Tesla’s cloud server infrastructure to “mine” cryptocurrency – literally, to make money. The motivation for cryptojacking attacks is that mining cryptocurrency requires a lot of computing power, which can be enormously costly unless you cheat by stealing someone else’s server power; a legitimate user’s cloud services are an obvious target because of the scale of the computing power availabile.
Phishing attacks are another source of potential benefit for attackers, and again the cloud is a means for perpetrating them. A 2021 Microsoft article about phishing attacks that used its cloud services is just one example of such an attack – in this case, as well as targeting cloud service users, the attack used cloud services to host the fake login pages that the phishing emails directed users into.
Alongside these is still the act of extortion. An attack in 2019 on U.S. bank Capital One is one of the biggest-scale examples in recent years. The company published its own explanation of what happened in the exfiltration of 140,000 Social Security numbers and 80,000 bank account numbers. In essence, vulnerabilities in the company’s cloud infrastructure were used by the bad actor to gain access, after which cloud storage was used to exfiltrate the stolen data. In this case it is believed that the attacker was caught by the FBI before any financial gain could be realised by selling the data or extorting Capital One for its deletion, but such outcomes are unusual.
Ransomware Launching from the Cloud
A look at the uses of the cloud for cyber attacks would not be complete without a reference to ransomware. Ransomware as a Service (RaaS) already forms a significant portion of the overall ransomware industry, using the key benefits of the cloud, namely that the platforms are low-cost and simple to use. In 2021 the Colonial Pipeline attack was carried out by DarkSide, which has a well-reported RaaS model. Look a little wider, though, and we see that many named ransomware groups use RaaS: BlackCat, MedusaLocker, the now-defunct Hive and REvil, … the list goes on.
Defending Against Attacks from the Cloud
What can we do to defend against bad actors that use cloud platforms to hide behind and to bring scale to their attacks?
First, patching. So many successful cyber attacks work because their victims’ systems were not fully patched. Install security patches as soon as they become available to minimise the risk of known vulnerabilities being exploited.
Second, and the flipside of the first activity, scanning. Use software or services to scan your systems – giving priority to the internet-facing resources – to check for vulnerabilities and misconfigurations. Consider having a bug bounty scheme to encourage ethical hackers to spot and report flaws in your security – in the Tesla example mentioned earlier, the victims paid about $3,000 to the security firm that identified the flaw and told them about it.
Finally, put your internet facing assets behind a cloud-based Web Application Firewall (WAF). One of the key functions of a WAF is DDoS detection and prevention. For example, GitHub used Akamai to deal with its 1.35Tbps DDoS attack, though there’s plenty of choice out there and the big cloud providers all have their own solutions. Note that we said a cloud-based WAF, incidentally: there’s little point having a WAF in your office if a DDoS attack can saturate your internet link and hence block legitimate traffic before it even hits the WAF.
Related Insights