Cybercriminals Are Picking On U.S. Cloud Hosting Providers

Cybercriminals waging financially motivated attacks and targeted attacks that steal intellectual property are taking advantage of the infrastructure at U.S. cloud hosting providers, according to two malware researchers.

Speaking to security professionals Monday in separate sessions at the 2013 Gartner Security and Risk Management Summit, Mary Landesman, a senior security researcher at Cisco Systems, and Dave Monnier of security research firm Team Cymru, highlighted the attack techniques used by cybercriminal organizations, finding many setting up command and control servers on U.S. soil. Attackers use servers on hijacked cloud hosting accounts or set up their own fraudulent account with stolen credit cards to conduct their malicious activity.

"We need hosting providers to ensure the integrity of all their Web servers continually," Landesman said.

[Related: Cloud Hosting Providers Must Defend Against Attacks (Video) ]

A Web hosting provider provides domain services and management capabilities for website owners, and cloud hosting accounts can have one site or dozens of sites or more associated with them, Landesman said. When an attacker controls a server, it controls the actions of each of the websites hosted on it and can direct attacks at targeted victims or conduct broad campaigns intended to infect masses of individuals.

Landesman highlighted the Darkleech attacks, which uses dynamic code injection and only serves iFrame attacks on websites once a day to specific types of visitors. Darkleech threatens Apache Servers and has been documented by researchers at security vendor ESET.

The Darkleech attackers' technique makes it difficult for hosting providers that monitor accounts to detect the nefarious activity. A new version of the threat called Linux/Cdorked malware was detected attacking Apache installations in March. Attackers are adapting to improved coding practices and detection capabilities and are careful to avoid detection by moving to a new domain every two weeks and never persisting attacks on websites for more than 24 hours.

"Even the most diligent concerned website operator is not going to be able to see the signs of that compromise," Landesman said.

Landesman also highlighted the Gumblar attacks, a series of longstanding brute-force attacks that harvest administrator usernames and passwords to WordPress accounts. The attackers were successful, gaining access to hundreds of thousands of sites by using automated scripts to stream through the 8.9 million possible username and password combinations to the WordPress accounts.

WordPress installations make up 25 percent of all websites, Landesman said. "When you have full control over a website you are setting the stage for that one-to-one relationship and attacks can persist longer," she said.

NEXT: Targeted Attackers Stage Control Servers On U.S. Soil

Both Landsman and Monnier pointed to the increasing strength of Distributed Denial of Service attacks as a sign that cybercriminals are successfully controlling more infrastructure at cloud hosting providers. Some cloud providers typically monitor for abuse and shut down accounts that violate terms of service, while some just look the other way, say security experts, taking action to shut down accounts only when a subpoena is served by law enforcement.

DDoS is largely common in the Northern Hemisphere, with Brazil and Australia seeing the fewest signs of attacks. Attack traffic from the U.S. is six times higher than anywhere else in the world, Monnier said. Even as companies such as Amazon Web Services and Rackspace aggressively weed out fraud and throttle back accounts that show signs of problems, attackers still find a hefty return on investment, he said.

"You can move your command and control servers to Kazakhstan, but that's not a very good business decision," Monnier said. "The U.S. has redundant power, high availability and great peering; these are things all these guys are looking for."

Team Cymru's analysis of infected systems that serve botnets found that more than 90 percent are workstations and laptops. There were few mail servers and name servers, Monnier said.

Monnier described a targeted campaign on a large company in which the attackers set up a watering-hole-style attack on a sports league fantasy site, knowing that a large number of employees visited it daily.

"They put an exploit kit on the fantasy sports league site and that site never prepared for an attacker that wanted to get its own customers," he said. "They are after business plans; they are after any type of information that can further someone's investment decisions."

PUBLISHED JUNE 11, 2013