by Sara Peters, DarkReading
Researchers take advantage of cloud service providers’ free trials and lousy anti-automation controls to use cloud instances like bots.
LAS VEGAS — Black Hat USA — Thrifty attackers, are you tired of investing your dollars in a botnet that’s constantly being disrupted by new anti-virus signatures and bot downtime? A “cloudbot” might be just what you seek. As shown at Black Hat last week by Rob Ragan and Oscar Salazar, senior security associates at Bishop Fox, cloudbots are entirely free and very resilient, and they offer all the uptime of a cloud service with no need for malware. Good news for bot masters working on the cheap.
Bad news for cloud service providers that use poor anti-automation measures. As Salazar and Ragan showed in their Black Hat session, “Cloudbots: Harvesting CryptoCoins Like a Botnet Farmer,” confirming registrations with email alone is not enough to prove a registrant is a unique human. Without adding captchas, SMS verification, or other anti-automation measures, online services could find themselves powering activities like cryptocurrency mining and denial-of-service attacks.
The researchers specifically went after free cloud services — or those with free trials — that host infrastructure or development platforms.
“We were able to gather thousands of those [services’] accounts and control them just as a botnet herder would control a traditional botnet by spreading malware,” Ragan says in an interview with DarkReading. “We were basically able to register a bunch of free trials and have control over these accounts… and build a system — a framework, if you will — for targeting online services.”