Criminals are not so different from you and me. They want easy, fast, scalable, affordable cloud services and web hosting, just like us.
Oh sure, sometimes they want to get their service entirely for free, so they'll compromise the domain of a legitimate, paying customer; but they'll also pay for the service themselves sometimes, just like us. So, according to a new report by Solutionary, criminals use enterprise-class services like Amazon EC2, just like us.
Solutionary's "Quarterly Threat Intelligence Report" states that Amazon hosted 16 percent of the malware distribution channels -- more than any other ISP or hosting provider. Also on the top 10 list were GoDaddy (14%), Akamai (9%), and Google (6%). It's not only the cost, simplicity, and scalability that attracts malware authors, criminal hackers, and bot-herders to these services; there are more sinister benefits. From the report:
Use of major hosting providers, such as Amazon or Google, allows malware distributors to originate traffic from trusted address spaces that will not be blocked by geographic blacklists and would not likely draw suspicion based on IP address alone.
In fact, more than 40 of the anti-virus tools tested by Solutionary were unable to detect some of these malware samples.
None of this should come as a huge surprise. We've seen cloud services being used by crafty criminals before. In 2009, security researchers discovered that a Zeus botnet command-and-control station was running on an Amazon EC2 instance. Amazon located it and shut it down, and it has a system in place to collect and investigate vulnerability reports.
However, the scope of the problem may be a bit surprising. And it's never comforting to think about your own public cloud-based resources sharing server space with cybercriminals, for several reasons.
Theoretically, if a criminal can bust out of its own cloud instance (virtual machine) and into the back-end systems, it might be able to reach into other cloud instances residing on the same server, through the back-end. And theoretically, if law enforcement chooses to seize servers they suspect of being used for criminal purposes (even though that would be relatively pointless in the case of a cloud provider's servers), it might affect your ability to access your own cloud instances that happened to be hanging out on that server at the time. Cloud providers have taken steps to combat these troubles, but they're not inconceivable.
Obviously, we want cloud providers to responsibly monitor their systems in order to find malicious actors abusing their services. However we don't want them to be too sneaky and snoopy; we don't want them barging into our own cloud instances and rifling through all our stuff.
What do you think? Do these findings cause you any disquiet? Do they alter your decisions about your own company's use of the cloud? Are you at all surprised? Do you think your security staff is savvy enough to detect malware coming from familiar IP addresses that the anti-virus software might not even detect? Let us know in the comments below.