Tuesday, November 22, 2016

Lurking Malice in the Cloud

It is often claimed that the cloud is more secure than on-premises IT:
If you ask Greg Arnette if the cloud is more secure than on-premises infrastructure he’ll say “absolutely yes.” Arnette is CTO of cloud archive provider Sonian, which is hosted mostly in AWS’s cloud. The public cloud excels in two critical security areas, Arnette contends: Information resiliency and privacy.
But even if the cloud provider's infrastructure were completely secure, using the cloud does not free the user from all responsibility for security. In Lurking Malice in the Cloud: Understanding and Detecting Cloud Repository as a Malicious Service, a team from Georgia Tech, Indiana U., Bloomington and UCSB report on the alarming results of a survey of the use of cloud services to store malware components. Many of the malware stashes they found were hosted in cloud storage rented by legitimate companies, presumably the result of inadequate attention to security details by those companies. Below the fold, some details and comments.

The team discovered:
694 malicious or compromised repositories, involving millions of files, ... These buckets are hosted by the most reputable cloud service providers. For example, 13.7% of Amazon S3 repositories and 5.5% of Google repositories that we inspected turned out to be either compromised or completely malicious. Among those compromised are popular cloud repositories such as Groupon’s official bucket. Altogether, 472 such legitimate repositories were considered to be contaminated, ... infecting 1,306 legitimate websites, including Alexa top 300 sites like groupon.com, Alexa top 5,000 sites like space.com, etc.
The details are in Section 4.2 of the paper. Briefly, many of the compromised repositories had:
a misconfiguration flaw ... which allows arbitrary content to be uploaded and existing data to be modified without proper authorization.
Because the legitimate renters of the bucket had not been sufficiently careful to fully define the bucket's access policy:
by default, ... the cloud only checks whether the authorization key (i.e., access key and secret key) belongs to an S3 user, not the authorized party for this specific bucket: in other words, anyone, as long as she is a legitimate user of the S3, has the right to upload/modify, delete and list the resources in the bucket and download the content.
This problem has been exploited for a long time:
Groupon’s official bucket, was apparently compromised five times between 2012 and 2015 ... according to the changes to the bucket we observed from the bucket historical dataset we collected from archive.org.
Because, like other cloud providers, Amazon's S3 charges for storage, requests and bytes transferred out, the legitimate renters of the compromised buckets were paying much of the costs of the malware attacks.

Paul Kunert at The Register reports on Canalys estimates of the cloud services market:
Amazon’s cloud subsidiary turned over $3.23bn, up 55 per cent growth on the year ago period, and held 32 per cent market share.

Microsoft Azure hauled in $1.736bn, up 116 per cent, giving it a 17 per cent share of the spoils; Google Cloud hauled in $764m, up 80 per cent year on year, giving it an eight per cent share.

Over at Big Blue, IBM Software sold $654m worth of services, up 51 per cent, and this handed it a seven per cent slice of total market sales, while Chinese outfit Alibaba sold $221m, up 128 per cent and taking a market share of two per cent.

Much like in the world of on-premise tech, the [five] cloud giants keep getting bigger and bigger, equating to 66 per cent of all money splashed on IaaS and PaaS.
These five giant services are thus very high-value targets. Finding a weakness, like the propensity for careless setting of access policies above, gives access to huge resources for spreading malware, and is thus extremely valuable.

As the paper points out, the cloud providers:
are bound by their privacy commitments and ethical concerns, they tend to avoid inspecting the content of their customers’ repositories in the absence of proper consent. Even when the providers are willing to do so, determining whether a repository involves malicious content is by no means trivial: nuts and bolts for malicious activities could appear perfectly innocent before they are assembled into an attack machine; ... even for the repository confirmed to serve malicious content like malware, today’s cloud providers tend to only remove that specific content, instead of terminating the whole account, to avoid collateral damage (e.g., compromised legitimate repositories).
Thus the compromise is unlikely to be rapidly detected and, even if detected, only treated symptomatically. This research should give advocates of cloud-based preservation plenty to think about.


Simon Spero said...

Presumably this situation would not occur with any FedRAMP authorized providers since access control defaults would be one of the assessed items, even at low?

David. said...

I have no idea what FedRAMP requires, but the specific vulnerability involving inadequate user setting of access controls was at Amazon S3, a large federal provider.