Security: A walk in Attack Vectors Park #3
Welcome back my maliciously-targeted Reader,
As we continue in our introductory journey through the Cloud Security landscapes; today we’ll go green and have a stroll together through Attack Vectors Park. Unlike our previous appointment with Botnets – largely hitting End Consumers to grow in size and then divert their footprint against a Target – , today’s walk in the Attack Vectors’ Park will show us what the most common attack strategy and tactics are when it comes to action time.
Not all attacks are the same, no two of them are. You may call them exploits, or tactics, as most of those operating on Layer 7 are; other times, it’s pretty much all about brute force, backed up by the attacking army’s numbers (Botnets ring a bell?), which flails the Host on Layers 3 and 4; other times still, the attacker’s cradle is on your neighboring Cloud / Datacenter Host, past your finely tuned Firewall at the Public Edge. Don’t you shiver, my Reader, on we go.
Cloud Computing is currently one of the fastest growing IT fields. Most IT Companies already have a Cloud-based Offering and many others have announced it, as well. Although Cloud Computing sounds good in general, it’s all too well known that its biggest flaw lies in Security. In the near future, we will probably witness many new Security exploits which will shape the Cloud Security research directions for the years to come. To cater for the Security demand in the Industry, we testify the quick evolution of Cloud Security as a relevant IT Branch.
We’d like to mention Owasp Foundation (some of whose Top 10 Attacks we will describe today); Owasp like all experts closely monitor Cloud Security on a very high technical level, concentrating especially on hacking attempts and all other kinds of attacks related to Cloud Computing systems and providers. In this article, we will discuss possible types of attacks on Cloud, as well as classify them according to certain criteria.
Cloud Computing Attack Vectors
With more Companies and Users moving to Cloud, there is no doubt that hackers will follow. Some of the attacks vectors cybercriminals may conduct include:
1. Distributed Denial of Service (DDoS)
Some security experts claim that the Cloud is very vulnerable to DDoS attacks because it is used by a great number of users at once, making it more damaging. When the Cloud computing system sees the high workload on the overwhelmed service, it will begin to provide more computation power (more virtual machines as well as service instances) to deal with the extra workload. All of a sudden, the server hardware limits for maximum workload to process are no longer enough.
In such a situation, the Cloud Computing operating system is trying to wrestle with the attacker by providing more computation power, but – instead of fighting him – it lends him a hand: the attacker can, in such circumstances, do the highest possible damage to a single attack entry point. The cybercriminal doesn’t need to attack all servers that provide a certain service, but rather just one, Cloud-based address to achieve full loss of accessibility on the intended service.
2. Cloud Malware Injection Attack
This is the first extensive attack attempt aimed at injecting a malicious service or virtual machine into the targeted Cloud System.
The nature of this Cloud malware can be manifold, and range from quiet monitoring via smaller data modifications to the large-scale functionality changes and blockings. To conduct this attack the attacker needs to create its own malicious service module (PaaS or SaaS) or virtual machine (IaaS) and then sneak it into the Cloud system. Once in the destination Cloud, the Malware will pretend to be part of it, tricking the Cloud into treating it as a valid instance. If this succeeds, and the Cloud computing system starts treating the service instance as one of its own, the Cloud will automatically redirect User Requests to the malicious service and the hacker’s code will be executed.
One of the most promising countermeasures to deal with this threat consists into the integrity check conducted by the Cloud Computing service before using a service instance into Production. This can be done by placing a hash value on the original service instance and comparing the hash value with all recently started service instances. So, instead of simply tricking the Cloud to believe that the service instance is valid, the attacker now has to bypass that hash value comparison in order to conduct a successful injection of his malicious instance into the Cloud Computing system.
The main idea behind the Cloud Malware Injection attacks is that an attacker uploads a malicious copy of the Cloud service instance so that certain requests are processed within that “fake” instance. In order to achieve this goal, the attacker has to gain control over the targeted data in the Cloud system and get the privileged access to the service instances to conduct an attack on that service instance’s Security Layer.
3. Side-channel attacks
A side-channel attack is some sort of reverse engineering. From a cryptographic standpoint, this attack is based on data acquired from the physical implementation of a cryptosystem instead of using brute force or vulnerabilities in the algorithms to get the information.
Electronic circuits are by nature leaky – they are vibrating and produce emissions which allow attackers to know how the circuit works and what data is currently processing without any actual access to the circuit. Heat, vibrations and electromagnetic emissions of the circuit are very valuable sources of information for a crook. These leaks are just side effects of the processing, and that’s why they are called “side-channel attacks”.
In the Cloud, this is conducted by placing a malicious virtual machine physically close to the targeted Cloud Server. Just a while ago, a team of researchers have developed a type of side-channel attack that targets virtual machines, which poses a great threat to Cloud Computing. The attack enables a malicious virtual machine to steal a ElGamal Decryption Key from the “neighboring” virtual machines. This complex attack, able to steal an entire cryptographic Key, is the freshest piece of evidence that sensitive information’s shouldn’t be stored in a Cloud.
What makes the Side-Channel Attack different from others is the fact that the attacker doesn’t need to compromise virtual machine with Software to conduct the attack, but instead – the hardest part becomes placing the malicious virtual machine on the same host as the victim.
4. “Man in the middle” attack
A Man-In-The-Middle (MITM) Attack is an attack where the attacker places himself between the two parties and alters the communication whilst making the two parties believe that they are still in direct communication with each other. It is usually in a Client/Server situation. During the attack, a third party pretends to be the Server that a Client is trying to connect to, and after the connection succeeds, it sends requests to the real Server for the connection. Then it takes the response from the real Server and sends it back to the Client.
From the Client’s perspective, there is no difference; everything is as usual as if they were connected to the actual Server (aren’t they after all?). What Clients do not know is that the “man in the middle” is intercepting all the information exchanged between the two parties, and it can even change the information while it’s being exchanged between the two of them.
Cloud Computing avails on a high amount of processing power for its Cloud-hosted Services. However, attacks that are targeting resources, more specifically resource exhaustion can have big impact on the Cloud, especially if the attacker also uses a Cloud to send the flooding messages.
So, both the attacker’s and the victim’s Clouds invest more and more resources into sending and receiving messages until one or (more likely) both Cloud Computing Systems reach their respective maximum capacity.
As a result of this and in the best case scenario nonetheless, if the hacker is using a hijacked Cloud, he can trigger enormous bills for Cloud-based Services that the real Customer never ever ordered.
These attacks usually involve two Cloud systems, so there are several attack Surfaces used. Firstly, attacking the victim’s service with attack messages is one of the typical Service-to-User Surface attacks. Due to the fact that the both attacker’s as well as victim’s Cloud consume additional resources, the Cloud-to-Service Surface is likewise attacked. Furthermore, all other services hosted on the same Cloud may – and will eventually in the worst case scenario – be stroked by the resource exhaustion too.
A Note on Attack Surfaces
The most important attack Surface is the Service towards a User. This is actually the common Server-to-Client interface, which means it’s vulnerable to all sorts of attacks that can be conducted in a common Client-Server architecture. This includes SQL injection, buffer overflow attacks as well as privilege escalation.
On the other hand, the attack Surface from the User towards the Service is actually the common Client-Server environment, meaning that it’s vulnerable to HTML attacks such as SSL certificate spoofing, manipulations with browser caches, or Phishing attacks used on mail clients.
The Surface between a Cloud System and a Service Instance is a bit tricky. The separation of the Cloud Provider and a Service Instance can be pretty complex, but it’s common that all the attacks that a Service Instance can run against a Hosting Cloud System are covered. One of the most common attacks applied on this attack Surface is the Denial-of-Service, or as we call it, resource exhaustion attack, which can force the Provider to give more resources until it overloads and can no longer provide Services to its Users.
The other way around, the Service Instance is really vulnerable against the Cloud system. There are many types of attacks that can be conducted by the Cloud Provider against a Service running on it. It includes availability reductions, privacy related attacks as well as tampering data in process, injection of additional operations to service instance and others. This is one of the most critical types of attack with huge impacts.
Another important attack Surface is the Cloud service to the User. Usually, there is a Service Instance between the Cloud and a User. However, the Cloud is the one that provides an interface for the control of its Services. This interface allows Users to add new Services, delete Service Instances etc. This presents an attack threat similar to the one that Cloud faces from the users.
The last attack Surface considered is a User to the Cloud Provider. Attacks like phishing, manipulation of Cloud-based Services to trick the provider into
presenting a fake usage bill to the User for example.
While the Cloud Computing usage keeps on climbing rapidly, and especially because of its huge popularity among organized criminals, it is expected to see a lot of Security breaches and newly discovered Vulnerabilities in the decades to come.
In this article we have made a first step in classifying them and improving their analysis. This is by no means an extensive listing of Cloud Vector Attacks, but rather the end of today’s walk in the park of ours. Get in touch with us if this roused your interest!