Cyber-Attackers Taking Aim at Cloud and Virtualized Environments

Cyber-criminals are attacking virtualized data center systems and taking advantage of cloud environments as they come up with new threats in the cloud.

NEW YORK-Cyber-criminals are simultaneously taking advantage of the cloud's benefits to launch attacks as well as targeting organizations' cloud services, security experts said.

As organizations increasingly virtualize their data centers and move their applications to the cloud, attackers are beginning to think, "Let's attack here," Allen Vance, director of product management of the data and applications security group at Dell SecureWorks, told attendees at Cloud Expo during a session on cloud security on June 6. Organizations have to put in measures to handle threats to their virtualized environments when considering a cloud deployment because the environment amplifies the risks, Vance said. Cloud Expo is running from June 6 to June 9 here.

"We are in the middle of a war," Terry Woloszyn, CTO of PerspecSys, told attendees in a different session on cloud security. He compared the current security climate to an "arms race" as cyber-attackers are continuously developing new attack vectors and modifying existing threats, leaving vendors and businesses to play catch-up.

Nowhere is this more evident than the recent game of whack-a-mole Apple has been playing with malware developers behind the fake MacDefender antivirus scam and its many variants over the past few weeks.

A new MacDefender variant appeared within 24 hours after Apple released a security update on June 1 that included the malware definition in the Mac OS X File Quarantine list. After Apple updated definition files to cover the new variant on June 2, yet another one popped up that bypassed the quarantine hours later.

Vulnerabilities reported in virtualized technologies have "nearly doubled" between 2008 and 2010, according to data compiled by Dell SecureWorks Threat Intelligence and Intrusion, Vance said. Dell SecureWorks found that security "events" detecting attacks against virtual environments increased by more than 500 percent over the same period.

Cyber-attackers can try to steal credentials related to cloud providers, such as the organization's username and password for Amazon Web Services and the certification and private key used, Dell's Vance said. Malware is increasingly sophisticated enough to exploit vulnerabilities and use hyper-escalation to compromise cloud platforms, Vance said.

Hyper-escalation refers to what happens when malware exploits a vulnerability in the hypervisor to break out of the virtual machine and gain root privileges on the actual server hardware. This would give attackers complete control over all the other virtual machines running on that machine, a serious threat in a multi-tenancy environment. When organizations are sharing network infrastructure, databases, data storage and computing resources, risks are aggregated, Vance said.

It's not just "script kiddies" that are breaking into networks and writing malicious code, according to Woloszyn. Attacks are originating from "sophisticated nation-states with cyber-commands" as well as from organized crime. Cyber-attackers are using "strategic multi-pronged" attacks, such as compromising RSA Security first and then using the stolen data to break into defense contractor Lockheed Martin, according to Woloszyn.

Stuxnet was a "cyber cruise missile," which was "stunning" in the way it targeted highly specialized systems, according to Woloszyn. "Who's to say the next targeted attack won't be against the cloud?" Woloszyn asked attendees.

Another threat against cloud services is in the APIs used to connect applications and services, according to Dell's Vance. There are "thousands" of Web-based APIs, and 10 to 15 new ones are being created each day. If they are not built or implemented correctly, organizations are vulnerable to man-in-the-middle campaigns, identity spoofing, accidental leakage of confidential data and even denial-of-service attacks.

In the event of a breach, forensic analysis is also more difficult in the cloud, Dell's Vance said. The fact that the environment is maintained by a third party may actually slow down initial incident response as well as the time required to remediate vulnerabilities. One reason for the delay may be because the cloud provider's first priority is often in making sure other customers are unaffected.

Both Vance and Woloszyn noted that cloud environments are vulnerable to malicious insiders, who may decide to abuse their privileges.

Vance emphasized the importance of organizations monitoring cloud logs. Just because they are giving up operational control doesn't mean IT departments can't monitor the host, the guest virtual machines and other security services. Woloszyn said organizations should also consider implementing a zero-trust environment in the cloud so that only the exact information the user needs is revealed and nothing else. Layers of access, where some people have higher levels of trust than others and only anomalies are tracked, mean attackers just have to figure out a way to escalate privileges to gain unfettered access to data.

Traditional security techniques have limited effect in the cloud, Vance said, noting that organizations need to look at "old problems" and consider them in a new context.