Malware has become ingrained in modern culture. Nothing indicates that this will alter soon. Cloud malware is a new subset of the larger problem of harmful software, including worms, viruses, spyware, and more. This is not recent; it has been steadily expanding for over a decade. As early as 2011, malicious programs like the SpyEye banking Trojan were stored in Amazon Simple Storage Service buckets. According to data compiled by Netskope, 68% of all virus downloads originated in cloud applications.
Let’s examine the many forms of cloud-based malware and how they might be countered.
Types of cloud-based malware
When discussing cloud-based malware, two types, in particular, need to be highlighted:
Malware that spreads and communicates (command and control) via the cloud; Malware that directly targets cloud services and assets.
There are several entry points for modern malware that use cloud services to spread. To begin, several forms of malware are stored in cloud-based file-sharing services like Dropbox and Box and in storage nodes inside Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) clouds. In order to reduce the likelihood of content filtering software banning the hosting domain, public cloud storage accounts or nodes are often hosted in well-known cloud service provider (CSP) settings. For example, ransomware is commonly mentioned as a danger that might be housed in the cloud.
Secondly, most organizations don’t proactively restrict traffic to major CSPs like Amazon Web Services (AWS), Microsoft Azure (Microsoft), Google Cloud Platform (GCP), and others, making the cloud an attractive location for many malware strains’ command and control architecture.
Third, certain malware may be employed in distributed denial of service (DDoS) attacks, including exploiting compromised cloud-hosted servers to flood targets with traffic. Compromised systems in cloud tenant accounts are another possible source of such assaults.
On the other hand, new forms of malware appear specifically to target cloud-based resources and activities. Cloud-based virtual machines (VMs) and container workloads are common targets for bitcoin miners. Malware like this investigates public APIs to find ones that may be used to install and run themselves on targets’ workloads. After this is done, the attackers may mine cryptocurrencies for profit.
According to Trend Micro’s research, several well-coordinated attack groups penetrate open cloud assets and services in order to mine cryptocurrency using methods including SSH brute force, remote exploitation of vulnerable services, and delivering instructions over open APIs.
Regarding cloud-based malware, the crypto-mining attacker organization TeamTNT has often exploited the tactic of inserting harmful files in VM templates for further dissemination and persistence. To steal information from SaaS installations or implant malware in PaaS and IaaS accounts, cloud malware is often distributed via corrupted plugins and modules sold in cloud provider markets. Countless variations of such assaults exist.
Cloud-based malware may, thankfully, be identified and avoided. The following are some things that companies should do:
- All cloud-based data storage must be encrypted. When cloud-based malware targets accounts and workloads, this helps avoid data leakage or compromise.
- Insist that all cloud accounts undergo stringent authentication procedures. By using strong passwords and multi-factor authentication, cloud accounts may be protected against malicious attacks.
- Protect your cloud workloads and information. As a best practice, it is recommended to back up workload image and data storage and, if feasible, duplicate them to a different account or subscription. In this way, we are protected from many forms of cloud-based malware.
- Isolate and separate users depending on their network and identity. Cloud-centric segmentation strategies exist, and businesses should use them to limit exposure inside a single account or network segment.
- Set up services and tools to track how users interact with the network. Network traffic data is made available to tenants by all of the leading IaaS clouds. This data may be compiled and evaluated for signs of command and control communication and lateral movement.
- Utilize cloud service provider tools and detecting technologies. Some CSPs include malware detection technologies that can detect signs of malware infection or activity and monitor events and transmit that data to a centralized analytics platform. There are a few Microsoft 365 services, for instance, that have malware detection tools.
Though cloud malware will stay for the foreseeable future, there is some good news: we are improving at countering it.
