Bad guys are hosting more botnets and malware in the cloud and controlling them remotely from cloud servers.
The mission is to disguise malicious software as regular traffic between corporate end points and cloud-based services, said researchers at Trend Micro.
Hackers were using DropBox to host the command and control instructions for malware and botnets that have made it past corporate firewalls, said Trend Micro researchers.
“The same logic that drives business people to using cloud-based services is driving the bad guys to use the cloud too,” said Trans Micro Global Threat Communications Manager Christopher Budd.
Cybercriminals using cloud-based services to launch attacks is not new, Budd said that practice dates back more than five years. In the past, researchers found cases of hackers using cloud-based services to host malware and botnets which end up downloaded by end users and inflict their harm on various systems. Some types of botnets and malware are relatively small files not sophisticated enough to act on their own – they need some sort of direction. Typically that comes from command and control (C&C) software. In the past, bad guys hosted command and control software on servers that was suspicious.
Trend Micro found, though, is bad guys are using popular cloud-based services to host their C&C software. The advantage of this for the cybercriminals is the network traffic between the C&C software and the infected malware or botnet looks like regular traffic that would be communicating between a hosted cloud and the business. But, in fact, the C&C software is providing instructions on how the virus can inflict harm behind the company’s firewall.
Trend Micro said any cloud platform could host C&C software.
General protections could help ward off these types of attacks. Security professionals should monitor network traffic closely. If your business does not typically use cloud services, like DropBox, but there is all of a sudden a spike in traffic from those services, it is worth investigating that activity. If a company is already a regular DropBox user, then users would have to dig a bit deeper to monitor that traffic and look for suspicious activity, such as when the traffic is occurring. Anomalies are suspicious.
The issues Trend Micro found do not mean DropBox or other cloud providers suffered a compromise, nor does it mean that businesses who use services like DropBox are inherently in danger. This is just an evolution of cybercriminals using services like DropBox to not only host malware and botnets, but also control them.