Microsoft Warns that Virtual Machines Could Be Turned into Botnets
Microsoft, Google and many other cloud providers have spent years promoting the security of their cloud environments for businesses and individuals. However, that doesn’t mean that the cloud is entirely safe.
Last month, Microsoft warned businesses that hackers and other cybercriminals are compromising virtual machines (VMs) deployed via the cloud and using those VMs to launch further attacks. What is this threat and what can your organization do to combat it? There are many ways to protect virtual machines from being taken over, but organizations need to understand the nature of the threats they face.
Microsoft Highlights Botnets and "Cloud Weaponization"
The threat was detailed in the latest edition of the Microsoft Security Intelligence Report (SIR), which covered the first half of 2016. The report focuses on software vulnerabilities, software vulnerability exploits, malware, and unwanted software.
Microsoft notes that “in the cloud weaponization threat scenario, an attacker establishes a foothold within a cloud infrastructure by compromising, and taking control of, a few virtual machines.”
After that, the malicious actors can then use the VMs “to attack, compromise, and control thousands of virtual machines — some within the same public cloud service provider as the initial attack, and others inside other public cloud service providers.”
Such an attack is known as a botnet, and the same structure was used last fall to spread Mirai malware using devices connected to the Internet of Things. That incident was a massive distributed denial of service (DDoS) attack that directed junk internet traffic at domain name system provider Dyn until it could no longer accommodate legitimate traffic, leading to the shutdown of many popular web services.
Similarly, the SIR states, in the cloud weaponization model “each of the compromised VMs has malware installed that establishes a backdoor connection to the attacker’s command and control servers, from which the attacker can issue commands to the thousands of compromised virtual machines to attack targets throughout the internet.” Cloud weaponization can be implemented in a number of ways using a variety of attacks, according to Microsoft, including DDoS, brute force Secure Shell (SSH), Remote Desktop Protocol (RDP), unsolicited messaging (spamming), port scanning and port sweeping.
Microsoft says its Azure cloud platform “actively monitors for cloud weaponization” to protect businesses.
According to the SIR, 41 percent of the cloud attacks Azure caught in September 2016 were attempts to establish communication with a malicious IP address. Another 25 percent were brute force RDP attacks, which attempt to attack the Remote Desktop Protocol that Microsoft employs to let users access their desktops over a network. One-fifth (20.5 percent) of the cloud attacks were spam and 7.6 percent were DDoS attacks.
Protecting Your Virtual Machines from Botnet Threats
Microsoft says these attacks were discovered — and in many cases mitigated by — Azure Security Center’s advanced detection mechanisms.
“By combining Microsoft global threat intelligence and expertise with insights into cloud security-related events across your Azure deployments, Azure Security Center helps you detect actual threats early, and it reduces false positives,” the company writes on its Azure website. “Cloud security alerts offer insights into the attack campaign, including related events and impacted resources, and suggest ways to remediate issues and recover quickly.”
There are many ways to protect VMs from being taken over and used against your organization. Eugene Kaspersky, CEO and co-founder of security firm Kaspersky Lab, notes three ways. First, in an “agentless” approach, users have “a dedicated virtual machine with the anti-virus engine installed on it.” That VM “does the malware scanning on the rest of the virtual infrastructure by connecting to the rest of the virtual machines using native” VMware vShield technology. That technology also interacts with the anti-virus’ system management “so it knows the settings and applied policies, when to turn protection on and off, how to optimize, and so on.”
However, Kaspersky writes, “the vShield interface permits only basic file scanning” and “foregoes all the following progressive protection technologies: Application Control, System Watcher, white listing, heuristics, device control and web control.”
Another approach is what Kaspersky calls “light agent,” which “replaced vShield and connects the virtual machine to the anti-virus engine that resides on the Security Virtual Appliance.”
“Despite the name, Light Agent will still always be ‘heavier’ than an agentless solution, for it requires some memory on every virtual machine, processor power, and other resources,” Kaspersky writes. “Nevertheless, with today’s computers’ mega-horsepower, Light Agent’s appetite is relatively meager.”
Additionally, Kaspersky highlights the need for traditional endpoint security. “Sure, it will be problematic on the whole to fine tune such a setup given a sprawling virtual infrastructure, and maintenance and upkeep of such a solution will surely take up more human resources, but sometimes there are situations when such an approach is appropriate,” he says.
There are other concerns with VM security to bear in mind. “Hypervisors will become a very attractive target for hackers due to the number of potential guest machines that can be compromised and also the sheer power of virtualization servers,” an article on Tom’s IT Pro notes.
An easy way to secure VMs is to “use separate groups of physical uplinks for groups of similar VLAN,” the article notes. “This essentially means keeping web-facing traffic separate from the database traffic, for example. In other words, keep the traffic in physically separate network tiers so that the database server will never be able to directly talk to the internal network.”
In terms of protecting a hypervisor, Tom’s IT Pro “strongly advises” users “to use the built-in firewall (most hypervisor platforms have them) to restrict access to the management network and also keep the uplinks separate using appropriate techniques (routing and firewalls).”