Researchers from the Georgia Institute of Technology, Indiana University Bloomington and the University of California Santa Barbara scanned more than 140,000 sites on 20 major cloud hosting services and found that as many as 10 percent of the repositories hosted by them had been compromised, according to the “Lurking Malice in the Cloud: Understanding and Detecting Cloud Repository as a Malicious Service” report.
The researchers also found hundreds of active repositories with malicious content containing several hundred “buckets” actively providing malware. Threat actors are using the cloud to deliver malware and other malicious things while remaining undetected and are using various methods ranging from traditional exploits to take advantage of poor configurations. Some of the exploits may even appear benign until they are arranged in a certain way, researchers said.
“When it comes to malicious buckets, our study found the new wave of repository-based cyber-attacks,” Georgia Tech's School of Electrical and Computer Engineering professor Raheem Beyah told SC Media via emailed comments. “Cloud repositories have become the hub of malicious web activities.”
In one instance concerning potentially unwanted programs (PUP), the researchers found at least 11 bad cloud repositories from 3 different cloud platforms supporting 772 websites, Beyah said.
Beyah added that threat actors are taking advantage of the cloud because of how difficult it can be to scan the large amount of storage they provide. The report also found that cyber crooks are hiding their activities by keeping components of their malware in separate repositories that by themselves didn't trigger traditional scanners and the malware is only assembled when it's needed to launch an attack.
Researchers spotted a wide range of attacks in the cloud hosted repositories, ranging from phishing and common drive-by downloads to fake antivirus and computer update sites, the report said.
Sometimes the crooks would open an inexpensive account to host the software while others hide the malicious content in the cloud-based domains of well-known brands among good content to prevent the malware from blacklisting the domain.
Beyah said service providers which are bound by privacy commitments and ethical concerns tend to avoid inspecting their customer's repositories without proper consent and even when they are willing to inspect them it is difficult to spot malicious content.
The cloud hosting companies were notified of the findings before the study was published yet is unclear how many malicious repositories remain. So far only Groupon has acknowledged the importance of our findings and expressed gratitude for our help, the researchers said.