Microsoft Report Says Hackers 'Weaponizing' Cloud Virtual Machines

Microsoft's latest Security Intelligence Report says cyber-criminals are compromising virtual machines in the cloud as a way to vastly increase the scale of Distributed Denial of Service Attacks.

Virtual Machine Attacks 2

Microsoft warned of several new cyber risks faced by IT organizations, including the "weaponization of the cloud" in the company's latest Security Intelligence Report covering the first half of 2016.

IT security professionals today are well-versed in the dangers of botnets, particularly now that vulnerable internet of things (IoT) devices are being enlisted by the millions to launch and sustain debilitating attacks. It was only a matter of time before attackers roped in cloud computing resources to do their bidding.

In the new report, released Dec. 14, Microsoft says hackers have learned how to marshal compromised virtual machines running in the cloud to launch massive cyber-attacks.

"In the cloud weaponization threat scenario, an attacker establishes a foothold within a cloud infrastructure by compromising and taking control of a few virtual machines," stated the report. "The attacker can then use these virtual machines to attack, compromise, and control thousands of virtual machines—some within the same public cloud service provider as the initial attack, and others inside other public cloud service providers."

Once those virtual machines fall under the control of cyber-criminals, they're managed and controlled much like a botnet consisting of IoT devices and infected desktops. Attackers can issue commands to launch distributed denial-of-service (DDoS) attacks that cripple online services and websites or flood the internet with spam.

On its own Azure cloud computing platform, Microsoft witnessed attempts to exploit the cloud to establish communications with malicious IP addresses and brute force RDP, the Remote Desktop Protocol used by Microsoft to allow users to access their desktops over a network, representing percent 41 percent and 25.5 percent of all outbound attacks, respectively. Spam followed at just over 20 percent and DDoS attempts made up 7.6 percent of attacks.

Microsoft is also warning IT administrators to be on the lookout for targeted threats aimed at taking "control of an email account that has a high probability of containing credentials that can be used to gain access to the public cloud administrator portal." If successful, the threats may open both their on-premises and cloud infrastructures to attack.

"After logging into the administrator portal, an attacker can gather information and make changes to gain access to other cloud-based resources, execute ransomware, or even pivot back to the on-premises environment," cautioned Microsoft's security researchers. Attackers are also keeping tabs on GitHub and other public code repositories in the hopes that developers will accidentally publish secret keys that can potentially grant access to cloud accounts and services.

Microsoft further warned of "Man in the Cloud" (MitC) attacks, a term coined by security specialist Imperva. In this scenario, victims are duped into downloading and installing malware, typically with an email containing a malicious link.

Once active, the malware searches for a cloud storage folder and replaces the victim's synchronization token with that of the attacker's. In this spin on a "man in the middle" attack, each time a user adds a file to their cloud storage accounts, a copy is delivered to the attacker. Making matters worse, the new token remains even after the malware is found and removed.

Pedro Hernandez

Pedro Hernandez

Pedro Hernandez is a contributor to eWEEK and the IT Business Edge Network, the network for technology professionals. Previously, he served as a managing editor for the network of...