Welcome!

@CloudExpo Authors: Zakia Bouachraoui, Elizabeth White, Liz McMillan, Pat Romanski, Roger Strukhoff

Related Topics: @CloudExpo, Cloud Security

@CloudExpo: Article

Malware and Cloud Jacking

Although the growth of malware may be flattening, its design sophistication is not.

Malicious software or malware is a security nightmare. One can agree with the statement that malware in the internet is a growing epidemic and is costing industry billions of dollars each year.

According to Microsoft Malware "is short for malicious software and is typically used as a catch-all term to refer to any software designed to cause damage to a single computer, server, or computer network, whether it's a virus, spyware, et al."

Although the growth of malware may be flattening, its design sophistication is not. Per Kaspersky labs approximately 300,000 new malware programs were discovered per day; last year.

Graham Cluley of Sophos Labs stated Sophos "sees in excess of 50,000 new samples daily the vast majority of which are focused on making money."

These days your typical malware agent is designed to conceal itself in an intelligent and proactive/reactive manner from standard AV software.

As we know there are several ways malware can infect a machine e.g. drive by download, infected USB, spoofing, fake anti-virus security products, search engine optimisation (SEO) by drawing internet users to compromised and legitimate websites and infecting their machines as a result etc.

In order to maintain its residence on an infected system/s malware has to either

a)  Adapt legitimate data or program, or programs within the client device, in order to gain control after the audit process has completed or

b) Remain active in RAM or swap space

How does this relate to the cloud? Assuming a capitalizing on the much hyped - scalability and flexibility; a malware agent can potentially forward relevant data into a compromised cloud system, thus capitalizing on the cloud's scalable computational and storage properties.

It can then use this access to "infinite computing power and storage" to compute values needed by the verification authority on the infected  system thereby avoiding detection and possibly moving undetected throughout any array of networks; wreaking undetected havoc as it processes data.

But the cloud is a virtual environment; and virtualization is highly dependent on a hypervisor which is easily verifiable and well protected...right?

Not so much: this premise was in part due to the hypervisor or Virtual Machine Monitor (VMM), initially consisting of a comparatively small code base which had limited interaction with the external world.

However there are known attacks on the hypervisor which could possibly impact the Cloud Computing Ecosystem: two of which are

1. Hyper-jacking: Where an attacker inserts a rogue hypervisor; taking advantage of an assumption that there is a level of difficult for any OS running on the hypervisor to detect an attacker's insertion. This based on the level of privilege at which the hypervisor runs. An attack of this nature can potentially give control of any virtual machine running on the physical server to the attacker e.g. Joanna Rutkowska's Blue Pill rootkit.

2. VM Escape: If a virtual system is compromised by an attacker and via a set software system is able to totally bypass the hypervisor or virtual layer, it is quite possible to get access to the host machine and by this root privileges. For instance a vulnerability vmnat.exe was identified in VMware Workstation, which could be exploited by remote attackers to execute arbitrary commands.

The exploit that enables VM Escape can allow an attack on a specific virtual server to escalate from the virtual server to the underlying user space. An attacker can then gain control of the underlying hypervisor.

Of importance is although such exploits can be used under certain circumstances to cause the host environment to execute arbitrary code, this can only occur with weak security configurations e.g. weak code, unpatched systems.

In terms of the hypervisor code we are seeing a growth in its volume with time e.g. recent attacks on Xen's showed that its code and data can be modified at runtime, allowing backdoor functionality. All known issues were patched however with the growth in the skills and resources within the "hacking enterprises", there should be some concern and planning for risk mitigation within the environment.

A recent study stated that VMware ESX 3.x bare-metal hypervisor exhibited at least 165 known vulnerabilities.

In light of this, a potential cloud customer should get a good working idea of their vendor's security policies, continuity and recovery protocols to ensure the confidentiality, integrity and availability of their data.

References

  1. Virtualization Security. Edward Ray, Eugene Schultz. s.l. : ACM -The Association for Computing Machinery, 2004. 1-58113-000-0/00/0004.
  2. Tim Shelton. [VulnWatch] [ACSSEC-2005-11-25-0VMWare Workstation 5.5.0
  3. Carl Gebhardt, Allan Tomlinson. Security consideration for Virtualization. Egham : Depart of Mathematics Royal Holloway University
  4. Paul Arcenaux. Securing the virtual data center. www.hp.com. [Online] Hewlitt Packard (HP), May 2010.
  5. K.-K. Choo. Organised crime groups in cyberspace: a typology. Trends in Organized Crime, 11(3):270{295, 2008
  6. Network Security April 2010 pgs 8-10

More Stories By Jon Shende

Jon RG Shende is an executive with over 18 years of industry experience. He commenced his career, in the medical arena, then moved into the Oil and Gas environment where he was introduced to SCADA and network technologies,also becoming certified in Industrial Pump and Valve repairs. Jon gained global experience over his career working within several verticals to include pharma, medical sales and marketing services as well as within the technology services environment, eventually becoming the youngest VP of an international enterprise. He is a graduate of the University of Oxford, holds a Masters certificate in Business Administration, as well as an MSc in IT Security, specializing in Computer Crime and Forensics with a thesis on security in the Cloud. Jon, well versed with the technology startup and mid sized venture ecosystems, has contributed at the C and Senior Director level for former clients. As an IT Security Executive, Jon has experience with Virtualization,Strategy, Governance,Risk Management, Continuity and Compliance. He was an early adopter of web-services, web-based tools and successfully beta tested a remote assistance and support software for a major telecom. Within the realm of sales, marketing and business development, Jon earned commendations for turnaround strategies within the services and pharma industry. For one pharma contract he was responsibe for bringing low performing districts up to number 1 rankings for consecutive quarters; as well as outperforming quotas from 125% up to 314%. Part of this was achieved by working closely with sales and marketing teams to ensure message and product placement were on point. Professionally he is a Fellow of the BCS Chartered Institute for IT, an HITRUST Certified CSF Practitioner and holds the CITP and CRISC certifications.Jon Shende currently works as a Senior Director for a CSP. A recognised thought Leader, Jon has been invited to speak for the SANs Institute, has spoken at Cloud Expo in New York as well as sat on a panel at Cloud Expo Santa Clara, and has been an Ernst and Young CPE conference speaker. His personal blog is located at http://jonshende.blogspot.com/view/magazine "We are what we repeatedly do. Excellence, therefore, is not an act, but a habit."

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


CloudEXPO Stories
The precious oil is extracted from the seeds of prickly pear cactus plant. After taking out the seeds from the fruits, they are adequately dried and then cold pressed to obtain the oil. Indeed, the prickly seed oil is quite expensive. Well, that is understandable when you consider the fact that the seeds are really tiny and each seed contain only about 5% of oil in it at most, plus the seeds are usually handpicked from the fruits. This means it will take tons of these seeds to produce just one bottle of the oil for commercial purpose. But from its medical properties to its culinary importance, skin lightening, moisturizing, and protection abilities, down to its extraordinary hair care properties, prickly seed oil has got lots of excellent rewards for anyone who pays the price.
The platform combines the strengths of Singtel's extensive, intelligent network capabilities with Microsoft's cloud expertise to create a unique solution that sets new standards for IoT applications," said Mr Diomedes Kastanis, Head of IoT at Singtel. "Our solution provides speed, transparency and flexibility, paving the way for a more pervasive use of IoT to accelerate enterprises' digitalisation efforts. AI-powered intelligent connectivity over Microsoft Azure will be the fastest connected path for IoT innovators to scale globally, and the smartest path to cross-device synergy in an instrumented, connected world.
There are many examples of disruption in consumer space – Uber disrupting the cab industry, Airbnb disrupting the hospitality industry and so on; but have you wondered who is disrupting support and operations? AISERA helps make businesses and customers successful by offering consumer-like user experience for support and operations. We have built the world’s first AI-driven IT / HR / Cloud / Customer Support and Operations solution.
ScaleMP is presenting at CloudEXPO 2019, held June 24-26 in Santa Clara, and we’d love to see you there. At the conference, we’ll demonstrate how ScaleMP is solving one of the most vexing challenges for cloud — memory cost and limit of scale — and how our innovative vSMP MemoryONE solution provides affordable larger server memory for the private and public cloud. Please visit us at Booth No. 519 to connect with our experts and learn more about vSMP MemoryONE and how it is already serving some of the world’s largest data centers. Click here to schedule a meeting with our experts and executives.
Darktrace is the world's leading AI company for cyber security. Created by mathematicians from the University of Cambridge, Darktrace's Enterprise Immune System is the first non-consumer application of machine learning to work at scale, across all network types, from physical, virtualized, and cloud, through to IoT and industrial control systems. Installed as a self-configuring cyber defense platform, Darktrace continuously learns what is ‘normal' for all devices and users, updating its understanding as the environment changes.