In what is considered to be a natural evolution of tactics used by cybercriminals to infiltrate corporate networks, security firm Trend Micro has new evidence that more botnets and malware are being not only hosted in the cloud, but controlled remotely from cloud servers.
The goal of hackers is to disguise their malicious software as regular traffic between corporate end points and cloud-based services.
Trend Micro reported today through a blog post that it has observed the first instance of hackers using DropBox to host the command and control instructions for malware and botnets that have made it past corporate firewalls.
“At end of the day, cybercriminals are business people,” says Trans Micro Global Threat Communications Manager Christopher Budd. “The same logic that drives business people to using cloud-based services is driving the bad guys to use the cloud too.” And that requires business end users to stay on their feet to combat these threats.
Cybercriminals using cloud-based services to launch attacks is not new, Budd says that practice dates back more than five years. In the past, Trend Micro researchers have found instances of hackers using cloud-based services to host malware and botnets which are then downloaded – many times unknowingly – by end users and inflict their harm on various systems. Some types of botnets and malware are relatively small files that are not sophisticated enough to act on their own – they need some sort of direction. Typically that is provided by command and control (C&C) software. In the past, that command and control software has been hosted by cybercriminals or on servers that could easily be identified as suspicious.
What Trend Micro has discovered recently though is that hackers are using popular cloud-based services to host their C&C software. The advantage of this for the cybercriminals is that the network traffic between the C&C software and the infected malware or botnet looks like regular traffic that would be communicating between a hosted cloud and the business. But, in fact, the C&C software is providing instructions on how the virus can inflict harm behind the company’s firewall.
Trend Micro has found the first example of this C&C software being hosted in DropBox, but Budd emphasizes that any cloud platform could be used to host C&C software.
What can users do about this? Budd says general protections can be taken. For example, network traffic should be monitored closely. If your business does not typically use cloud services, like DropBox, but there is all of a sudden a spike in traffic from those services, it is worth investigating that activity. If a company is already a regular DropBox user, then additional analysis could be needed to monitor that traffic and look for suspicious activity, such as when the traffic is occurring. Anomalies are suspicious.
The issues Trend Micro have found do not mean that DropBox or other cloud providers have been compromised, nor does it mean that businesses who use services like DropBox are inherently in danger. It’s just now been proven that cybercriminals are using services like DropBox to not only host malware and botnets, but also control them.
As security vendors like Trend Micro find examples of this activity they will be able to build protections that identify this type of unwanted traffic and block it in the software they sell. Budd is just worried because this is just the start of a natural evolution of how cyrbercriminals – just like legitimiate businesses – will continue to use cloud-based resources to launch attacks. “It’s really a harbinger,” Budd says.