Cyber criminals tap the cloud for malware hosting

News by Steve Gold

"Using the cloud for cyber-criminal resources means that it's now possible to control your darkware empire from a single laptop"

A new report on the latest security threats has found that leading cloud service providers like Amazon, Google and GoDaddy are being used to store a variety of complex malware that cyber criminals use to infect Internet users.

The Q4 2013 Threat Intelligence Report from the Security Engineering Research Team (SERT) reveals that the misuse of trusted address spaces offers cyber criminals a new attack path against all Internet users.

The report puts this down to a technology shift over to the cloud, which gives users the ability to provision and de-provision systems and applications quickly and cost-effectively.

"The cloud has become a preferred mode for malicious actors who are using cloud computing for many of the same reasons that legitimate customers are, including the ease of site development, allowing malware distributors to quickly develop sites and bring them online," reads the report, which adds that using trusted address spaces like Amazon and Google means that the IP traffic will not be blocked by geographic blacklists, nor would it draw suspicion based on the IP addresses involved.

Dermot Williams, managing director of security analysis and systems integration company Threatscape, says that cloud computing offers cyber criminals the same set of advantages that IT managers are looking for, most notably the ability to spin up and down resources on an on-demand basis.

"Having API-level access to the cloud resources clearly makes cloud computing highly attractive. Cyber criminals can -- quite literally -- program up hundreds of server resources for a few pounds. They can then only pay, exactly, for the resources that are used," he told

"Using the cloud for cyber-criminal resources mean that it's now possible to control your darkware empire from a single laptop. It really is that easy to control, using a few lines of code to move entire disks of data around. Your malware is then lost in a sea of servers and data centres," he explained.

Williams' observations were backed up by Tim Keanini, CTO with security vendor Lancope, who said that the information security industry often speaks about malware from the victim's point of view.

"Everyone knows or has experienced clicking on a link and ultimately downloading malware for execution on the victim's computer, but no one as of yet has spoken in detail of the other side of this equation,” he told “The adversaries here have a very dynamic business model and who better to serve them but cloud services where they can spin up and spin down any capacity needed.”

Keanini, a 25-year IT security veteran who joined Lancope from nCircle last September, said that some observers have asked whether the cloud providers have enough operational visibility to detect these ‘indicators of compromise'.

He said that the issue here is that noting has been compromised in most cases, as it is just websites serving data. Coupled with the fact that the advanced threat actors know how they are being watched - and when they are detected - this means that they can adapt. 

Fellow CTO Amichai Schulman, now with Imperva, said that his firm's research has not only found cyber criminals hosting their databases in the cloud, but also rogue databases hosted in the same cloud resource, and analysing the data being harvested by the malware.

The reason for this strategy being adopted by cyber criminals, he explained, is that cloud services are either free to use, or are available at very low cost. It's no surprise then, he adds, that hackers are flocking to the cloud.

If that wasn't enough, Schulman says that the problem is compounded by the fact that a lot of malware being stored is not being detected by anti-virus solutions.

"This doesn't mean that the AV products are bad, simply that there are so many variants of malware being developed - and changing on a regular basis - that tracking and defending against a given piece of malware has become an almost impossible job," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews