Types of cloud malware and how to defend against them

/in


Malware is a fact of life today. And that isn’t likely to change anytime soon.

Cloud malware adds another category to the worms, viruses, spyware and other malevolent software the industry battles every day. The phenomenon isn’t new; it has been growing for more than a decade. The SpyEye banking Trojan, for example, was hosted in Amazon Simple Storage Service buckets back in 2011. Cloud security provider Netskope reported that 68% of all malware downloads originated in cloud apps.

Let’s take a look at the types of cloud malware and how to defend against them.

Types of cloud malware

Any discussion around cloud malware needs to focus on two specific categories:

  1. malware that uses the cloud for delivery and communications (command and control); and
  2. malware that explicitly targets cloud assets and resources.

Modern malware gains a foothold through cloud services via various means. First, many types of malware are hosted in cloud storage environments, either in dedicated services, such as Dropbox or Box, or in storage nodes within IaaS or PaaS clouds. These publicly exposed storage accounts, or nodes, are often within well-known cloud service provider (CSP) environments to minimize the chances that content filtering software blocks the hosting domain. Ransomware, in particular, is often cited as a cloud-hosted threat.

Second, many malware variants host their command-and-control infrastructure in the cloud, as most organizations don’t explicitly block traffic to AWS, Azure, Google Cloud Platform and other large CSPs.

Third, some types of malware may be used in DDoS campaigns, where cloud-hosted systems under an attacker’s control are then used to send large quantities of traffic to victims. These attacks may also be a result of compromised systems in cloud tenant accounts.

At the same time, new variants of malware target cloud services and workloads. Among the most well known are cryptocurrency miners who target cloud-based VMs and container workloads. These types of malware scan exposed APIs to determine whether any of them can be exploited to permit installation and execution on workloads. Once that’s accomplished, attackers mine cryptocurrency for profit.

Trend Micro reported…

Source…