Types of cloud malware and how to defend against them

Types of cloud malware

Any discussion around cloud malware needs to focus on two specific categories:

1. malware that uses the cloud for delivery and communications (command and control); and
2. malware that explicitly targets cloud assets and resources.

Modern malware gains a foothold through cloud services via various means. First, many types of malware are hosted in cloud storage environments, either in dedicated services, such as Dropbox or Box, or in storage nodes within IaaS or PaaS clouds. These publicly exposed storage accounts, or nodes, are often within well-known cloud service provider (CSP) environments to minimize the chances that content filtering software blocks the hosting domain. Ransomware, in particular, is often cited as a cloud-hosted threat.

Second, many malware variants host their command-and-control infrastructure in the cloud, as most organizations don't explicitly block traffic to AWS, Azure, Google Cloud Platform and other large CSPs.

Third, some types of malware may be used in DDoS campaigns, where cloud-hosted systems under an attacker's control are then used to send large quantities of traffic to victims. These attacks may also be a result of compromised systems in cloud tenant accounts.

At the same time, new variants of malware target cloud services and workloads. Among the most well known are cryptocurrency miners who target cloud-based VMs and container workloads. These types of malware scan exposed APIs to determine whether any of them can be exploited to permit installation and execution on workloads. Once that's accomplished, attackers mine cryptocurrency for profit.

Trend Micro reported that a variety of coordinated attacker groups compromise exposed cloud assets and services and then mine cryptocurrency using techniques such as SSH brute-forcing, remotely exploiting vulnerable services and issuing commands via exposed APIs.

Other cloud-focused malware includes embedding malicious files into VM templates for continued propagation and persistence -- a technique seen on numerous occasions with cryptomining attacker group TeamTNT. Another common cloud malware involves attacks via compromised plugins and modules in cloud provider marketplaces -- a technique that can be used to steal data from SaaS deployments or embed into PaaS and IaaS accounts. Countless variations of these attacks exist.

How to combat cloud malware

Fortunately, cloud malware can be detected and prevented. Organizations should do the following:

• Encrypt all data stored in the cloud. This helps prevent data exposure or compromise when cloud-based malware targets accounts and workloads.
• Require strong authentication on all cloud user accounts. Strong passwords and multifactor authentication help prevent cloud accounts from being compromised by malware campaigns.
• Back up cloud workloads and data. Ideally, workload images and data stores are backed up and replicated to a separate account or subscription, if possible. This helps mitigate a wide variety of cloud-based malware techniques.
• Implement network and identity-based isolation and segmentation. A number of cloud-oriented segmentation tactics are available; organizations should reduce the attackable surface area within a specific account or network subnet as much as possible.
• Implement network behavioral monitoring tools and services. All major IaaS clouds offer network flow data to tenants. This information can be aggregated and analyzed to spot indicators of lateral movement and command-and-control traffic.
• Use cloud provider tools and detection technologies. In addition to logging events and sending that data to a central analysis platform, some CSPs offer malware detection technology that may uncover indicators of malware infection or behaviors. For example, Microsoft offers malware detection capabilities in a number of its Microsoft 365 services.

While cloud malware is likely here to stay for the foreseeable future, there is one bit of good news: We're getting better at combating it all the time.