Microsoft Sounds Alarm on Weaponized Virtual Machines on the Cloud

Attackers are targeting cloud accounts, hoping to weaponize virtual machines and gain access to valuable information.

cloud security

Microsoft has some bad news for businesses hoping to find a safe haven from cyber-attackers in the cloud. IT departments can now add weaponized virtual machines on the cloud to their ever-expanding list of cybersecurity concerns.

The Redmond, Wash., software giant recently released its Security Intelligence Report Volume 22, compiled using threat data gathered during the first quarter of 2017 (Q1). Unsurprisingly, attackers are following their targets to where the action is, and these days, that increasingly means the cloud.

"In a cloud weaponization threat scenario, an attacker establishes a foothold within a cloud infrastructure by compromising and taking control of one or more virtual machines," explained the report. "The attacker can then use these virtual machines to launch attacks, including brute force attacks against other virtual machines, spam campaigns that can be used for email phishing attacks, reconnaissance such as port scanning to identify new attack targets, and other malicious activities."

During Q1, Microsoft's Azure Security Center service witnessed a number of outbound attack attempts, chiefly efforts to establish communications with malicious IP addresses (51 percent) and RDP (Remote Desktop Protocol) brute force attempts. Attackers also tried to use cloud-based virtual machines to spew spam (19 percent), embark on port-scanning expeditions (3.7 percent) and try to brute force their way past SSH (Secure Shell) protections.

When a virtual machine is compromised, they often "phone home" to command-and-control servers. The vast majority of those connection attempts are made to malicious IP addresses originating in China (89 percent), followed by the United States (4.2 percent).

In terms of inbound attacks on Microsoft Azure, most stem from China (35.1 percent) and the United States (32.5 percent). Korea is a distant third with 3.1 percent.

Not content to lock up users' PCs with ransomware, attackers are increasingly targeting both personal and business cloud accounts, the company's security researchers warned.

"There was a 300 percent increase in Microsoft cloud-based user accounts attacked year-over-year (Q1-2016 to Q1-2017)," they stated in a Microsoft Secure Blog post, underscoring the need for both businesses and individuals to practice strong password habits. "The number of account sign-ins attempted from malicious IP addresses has increased by 44 percent year over year in Q1-2017."

Microsoft advises enterprise IT departments to implement risk-based conditional access policies, whereby they can restrict access to trusted devices and/or IP addresses, mitigating the risk of weak or compromised credentials.

Ransomware continues to be problem, although it should be noted that the threat intelligence referenced by the latest Security Intelligence Report predates this spring's massive ransomware outbreaks. In May, the WannaCry ransomware, which latched onto exploits allegedly stolen from the U.S. National Security Agency (NSA), spread like wildfire, affecting the IT systems of hospitals in the U.K. and businesses worldwide.

In March 2017, with a ransomware encounter rate of 0.17 percent, users in the Czech Republic were most likely to run into the insidious form of malware, followed by Korea (0.15 percent) and Italy (0.14 percent). Upcoming editions of Microsoft's report may reveal if WannaCry and other recent high-profile ransomware attacks reshuffles those rankings.

Pedro Hernandez

Pedro Hernandez

Pedro Hernandez is a contributor to eWEEK and the IT Business Edge Network, the network for technology professionals. Previously, he served as a managing editor for the network of...