Cybercriminals Are Picking On U.S. Cloud Hosting Providers


Cybercriminals waging financially motivated attacks and targeted attacks that steal intellectual property are taking advantage of the infrastructure at U.S. cloud hosting providers, according to two malware researchers.

Speaking to security professionals Monday in separate sessions at the 2013 Gartner Security and Risk Management Summit, Mary Landesman, a senior security researcher at Cisco Systems, and Dave Monnier of security research firm Team Cymru, highlighted the attack techniques used by cybercriminal organizations, finding many setting up command and control servers on U.S. soil. Attackers use servers on hijacked cloud hosting accounts or set up their own fraudulent account with stolen credit cards to conduct their malicious activity.

"We need hosting providers to ensure the integrity of all their Web servers continually," Landesman said.

[Related: Cloud Hosting Providers Must Defend Against Attacks (Video)]

A Web hosting provider provides domain services and management capabilities for website owners, and cloud hosting accounts can have one site or dozens of sites or more associated with them, Landesman said. When an attacker controls a server, it controls the actions of each of the websites hosted on it and can direct attacks at targeted victims or conduct broad campaigns intended to infect masses of individuals.

Landesman highlighted the Darkleech attacks, which uses dynamic code injection and only serves iFrame attacks on websites once a day to specific types of visitors. Darkleech threatens Apache Servers and has been documented by researchers at security vendor ESET.

The Darkleech attackers' technique makes it difficult for hosting providers that monitor accounts to detect the nefarious activity. A new version of the threat called Linux/Cdorked malware was detected attacking Apache installations in March. Attackers are adapting to improved coding practices and detection capabilities and are careful to avoid detection by moving to a new domain every two weeks and never persisting attacks on websites for more than 24 hours.

"Even the most diligent concerned website operator is not going to be able to see the signs of that compromise," Landesman said.

Landesman also highlighted the Gumblar attacks, a series of longstanding brute-force attacks that harvest administrator usernames and passwords to WordPress accounts. The attackers were successful, gaining access to hundreds of thousands of sites by using automated scripts to stream through the 8.9 million possible username and password combinations to the WordPress accounts.

WordPress installations make up 25 percent of all websites, Landesman said. "When you have full control over a website you are setting the stage for that one-to-one relationship and attacks can persist longer," she said.

NEXT: Targeted Attackers Stage Control Servers On U.S. Soil