Enterprise IT leaders are not the only ones who understand the potential of cloud hosting. It not only offers the potential benefits of increased uptime and scalability to legitimate businesses, it also offers the same capabilities to cybercriminals and represents another aspect of the growing threat landscape enterprises must contend with.

Attackers often use underground hosting services to avoid detection, but it is not uncommon for them to turn to legitimate cloud hosting services to serve their needs. Cybercriminals can use a free or compromised hosting account to host malware while using the hosting provider’s reputation as a cover to make blocking malicious activity more difficult.

Common Cloud Attack Vectors

Some examples of the attacks that threat actors use to target cloud systems are:

Distributed denial of service (DDoS)

DDoS attacks overwhelm a target with traffic to disrupt its operations.

Exploiting live migrations

Live migrations can be compromised in a number of ways, such as making alterations that leave the systems being migrated vulnerable to attack and creating multiple fake migrations to launch a DoS attack.

Hypervisor denial of service (DoS)

This type of DoS attack targets the hypervisor. If successful, it can affect all of the virtual machines (VMs) a host is running.

Hypercall attack

A hypercall attack enables a threat actor to target virtual machines via the hypercall handler and could lead to the execution of malicious code with the privileges of the virtual machine manager.

Hyperjacking

These attacks are aimed at taking control of the hypervisor. This attack will allow a threat actor to modify VMs and take other malicious actions if successful. These security threats help to create a challenging threat landscape that organizations must defend against. For attackers, staying under the radar is a critical priority.

In addition to these attacks, threat actors have also increased their use of Linux malware to target cloud environments, particularly ransomware.

How Malware Hosting Works

These security threats help create a challenging threat landscape that organizations must defend against. For attackers, staying under the radar is a top priority. Both eCrime and targeted intrusion adversaries extensively leverage legitimate cloud services to deliver malware; targeted actors also use these services for command and control (C2).

This tactic has the advantage of being able to evade signature-based detections because top-level domains of cloud hosting services are typically trusted by many network scanning services. Using legitimate cloud services, including chat applications, can enable adversaries to evade some security controls by blending into normal network traffic. Moreover, using cloud-hosting providers for C2 allows the adversary to switch or remove payloads from an affiliated C2 URL with ease.

How to Protect Your Environment From Malware Hosting

Educate and train employees

Security awareness training allows employees to identify social engineering tactics. Additionally, security teams must understand cloud technologies and the vulnerabilities, risks and threats that can lead to compromises.

Strengthen access control

Protecting access to cloud resources requires visibility into the entire cloud environment. Organizations should use identity and access management (IAM) services native to their cloud platform to implement role-based, fine-grained access control to cloud resources.

Practice user or network segmentation to control the spread of viruses

Start with basic segmentation of cloud workloads between different virtual networks and only allow required communication between them. Additionally, incoming traffic to your applications should be restricted using network or application layer firewalls.

Implement cloud-native application protection platform (CNAPP) capabilities to detect and respond

A CNAPP is an all-in-one cloud-native software platform that simplifies monitoring, detecting and acting on potential cloud security threats and vulnerabilities. A CNAPP combines multiple tools and capabilities into a single software solution to minimize complexity and facilitate DevOps and DevSecOps team operations while offering end-to-end cloud and application security through the entirety of the continuous integration and continuous delivery/deployment (CI/CD) application lifecycle.

The CrowdStrike Falcon® platform offers powerful CNAPP capabilities to secure containers and help developers rapidly identify and remediate cloud vulnerabilities.

Leverage cloud threat hunting

Threat hunting is the practice of proactively searching for cyber threats lurking undetected in your network. Cloud threat hunting digs deep to find malicious actors in your environment that have slipped past your initial cloud security defenses.