Introduction
The cloud computing infrastructure is susceptible to malware injection attacks. In these instances, the cyber attacker creates a malicious application and injects it into the Software as a Service (SaaS), Platform as a Service (PaaS) and the Infrastructure as a Service (IaaS), respectively. Once the injection is completed, the malicious module is executed as one of the valid instances running in the cloud infrastructure. From this point, the cyber attacker can then launch any sort of attack, such as covert eavesdropping, data manipulation, and data theft.
It is important to note that amongst all of the malware injection attacks, it is the Structured Query Language (SQL) injection attack and the cross-site scripting attack which are the two most common forms that can be launched against a cloud computing infrastructure.
The SQL injection attack
SQL injections target SQL servers in the cloud infrastructure that run vulnerable database applications. Thus, the cyber attacker exploits the vulnerabilities of the web servers, and from there, injects a malicious code in order to circumvent the login credentials and gain unauthorised access to the backend databases.
If this is successful, the cyber attacker can then further manipulate the contents of the SQL server databases; retrieve confidential data; remotely execute system commands; or even take control of the web server for further criminal activities. The SQL injection attacks can also be launched by a botnet.
For example, the Asprox botnet used a thousand bots that were equipped with an SQL injection kit to fire an SQL injection attack (SOURCE: 1). The bots first sent encoded SQL queries containing the exploit payload to Google for searching web servers that ran the ASP.net framework.
Then, the bots started executed a SQL injection attack against the web sites returned from those queries. In the end, over 6 million URLs belonging to 153,000 different web sites that were hosted on various cloud infrastructures were impacted the Asprox botnet.
Cross Site Scripting (XSS)
With this, the cyber attacker injects malicious scripts, such as JavaScript, VBScript, ActiveX, HTML, and Flash, into a vulnerable dynamic web page in order to execute these various scripts on the victim’s web browser. Afterwards, the cyber attacker could then steal the session cookie used for authorisation for the purposes of accessing the victim’s account or tricking the victim into clicking a malicious link.
For example, cyber researchers recently in Germany have successfully demonstrated an XSS attack against the Amazon AWS Cloud Computing Platform. The vulnerability in the Amazon store allowed the team to hijack an AWS session and gain successful access to all of the customer data (this included authentication data, tokens, and plain text passwords). (SOURCE: 2).
The wrapping attack
Wrapping attacks make use of the Extensible Markup Language (XML) signature wrapping (or XML rewriting) to exploit a weakness when web servers validate signed requests. This type of cyber attack is accomplished during the translation of Simple Object Access Protocol (SOAP) messages between a legitimate user and the web server.
The cyber attacker embeds a bogus element (the wrapper) into the message structure, moves the original message body under the wrapper, and replaces the content of the message with malicious code. From here, it is then sent to then to the server hosted on the cloud computing infrastructure.
Since the original message body is still valid, the server will then be tricked into authorising the message that has actually been altered. As a result, the cyber attacker is then able to gain unauthorised access to protected resources. From here, the illegal operations can then proceed.
Since cloud users normally request services from cloud computing service providers through a web browser, wrapping attacks can cause damage to cloud systems as well. Amazon’s Elastic Compute Cloud (EC2) was discovered to be vulnerable to wrapping attacks in 2008 (SOURCE: 3).
The research showed that the EC2 had a weakness in the SOAP message security validation mechanism. A signed SOAP request of a legitimate user could be intercepted and modified. As a result, the cyber attacker could then take unprivileged actions on victim’s accounts in the cloud environment.
By using the XML signature wrapping technique, the cyber researchers also demonstrated an account hijacking attack that exploited a vulnerability in the Amazon AWS (SOURCE: 4). By altering authorised digitally signed SOAP messages, the cyber researchers were then able to obtain unauthorised access to a customer’s account. They could also delete and create new images on the customer’s EC2 instance, and also perform other administrative tasks.
A future article will examine other types of threat variants to a cloud infrastructure.
Sources
- N. Provos, M. A. Rajab, and P. Mavrommatis, “Cybercrime 2.0: When the Cloud Turns Dark,” ACM Communications, Vol. 52, No. 4, pp. 42–47, 2009.
- Researchers Demo Cloud Security Issue With Amazon AWS Attack, October 2011.
- N. Gruschka and L. L. Iacono, “Vulnerable Cloud: SOAP Message Security Validation Revisited,” IEEE International Conference on Web Services, Los Angeles, 2009.
- Researchers Demo Cloud Security Issue With Amazon AWS Attack, October 2011.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He also possesses the Certified in Cybersecurity (CC) cert from the ISC2.
Visit his website at mltechnologies.io