Cloud attacks are increasing at an alarming rate. They come in different forms, such as DoS or DDoS attacks that affect the availability of Cloud services and resources, or port scanning, IP spoofing, DNS poisoning, or phishing which are executed to gain access to Cloud resources.
Most attackers target vulnerabilities or loopholes in the security architecture of the Cloud, which an adversary can exploit via sophisticated techniques to gain access to the network and other infrastructure resources.
In this article, we present a list of common cyber threats that an adversary can launch by exploiting vulnerabilities in the Cloud.
Through the Internet, an attacker tries to flood the victim by sending requests from innocent hosts in the network. These types of hosts are called zombies. In the Cloud, the requests for Virtual Machines (VMs) are accessible by users through the Internet. An attacker can flood a large number of requests via zombies. Such an attack interrupts the expected behavior of the Cloud, affecting the availability of Cloud services. The Cloud may be overloaded to serve several requests and exhausted, which can cause DoS (Denial of Service) or DDoS (distributed denial of service) to the servers. Cloud in the presence of attacker’s flooded requests cannot serve valid user’s requests.
Mitigation: However, better authentication, authorization, and IDS/IPS can protect against such an attack.
Service Injection Attack
The cloud system is responsible for determining and eventually instantiating a free-to-use instance of the requested service. The address for accessing that new instance must be communicated to the requesting user. An adversary tries to inject a malicious service or new virtual machine into the Cloud system and can provide malicious service to users. Cloud malware affects Cloud services by changing (or blocking) Cloud functionalities. Consider a case wherein an adversary creates his/her malicious services like SaaS, PaaS, or IaaS and adds them to the Cloud system. If an adversary succeeds in doing this, valid requests are automatically redirected to the malicious services.
Mitigation: To defend against this type of attack, a service integrity checking module should be implemented. Strong isolation between VMs may disable the attacker from injecting malicious code into the neighbor’s VM.
In this attack, an attacker’s program running in a VM breaks the isolation layer to run with the hypervisor’s root privileges instead of the VM privileges. This allows an attacker to interact directly with the hypervisor. Therefore, VM Escape from the isolation is provided by the virtual layer. By VM Escape, an attacker accesses the host OS and the other VMs on the physical machine.
Rootkit in Hypervisor
VM-based rootkits initiate a hypervisor compromising the existing host OS to a VM. The new guest OS assumes it is running as the host OS with the corresponding control over the resources; however, this host does not exist. Hypervisor also creates a covert channel to execute unauthorized code into the system. This allows an attacker to control any VM running on the host machine and manipulate the activities on the system.
Mitigation: The threat arising from VM-Level vulnerabilities can be mitigated by monitoring through IDS (Instruction Detection System)/IPS (Intrusion Prevention System) and by implementing a firewall.
Man in the Middle Attack
If the secure socket layer (SSL) is not properly configured, any attacker can access the data exchange between two parties. In Cloud, an attacker can access the data communication among data centers.
Mitigation: Proper SSL configuration and data communication tests between authorized parties can be useful to reduce the risk of a Man-in-the-Middle attack.
Metadata Spoofing Attack
In this attack, an adversary modifies or changes the service’s Web Services Description Language (WSDL) file, where descriptions of service instances are stored. If the adversary succeeds in interrupting the service invocation code from the WSDL file at delivery time, then this attack can be possible.
Mitigation: Information about services and applications should be encrypted to overcome such an attack. Strong authentication (and authorization) should be enforced for accessing such critical information.
Phishing attacks are well known for manipulating a web link and redirecting a user to a false link to get sensitive data. In Cloud, it may be possible for an attacker to use the cloud service to host a phishing attack site to hijack the accounts and services of other users in the Cloud.
Backdoor Channel Attack
It is a passive attack, allowing hackers to access the compromised system remotely. Using backdoor channels, hackers can control the victim’s resources and make it a zombie for attempting a DDoS attack. It can also be used to disclose the confidential data of the victim.
Mitigation: Better authentication and isolation between VMs can protect against such attacks