Saved in:
Bibliographic Details
Main Authors: Frieß, Jens, Gattermayer, Tobias, Gelernter, Nethanel, Schulmann, Haya, Waidner, Michael
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2403.19368
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866914732006440960
author Frieß, Jens
Gattermayer, Tobias
Gelernter, Nethanel
Schulmann, Haya
Waidner, Michael
author_facet Frieß, Jens
Gattermayer, Tobias
Gelernter, Nethanel
Schulmann, Haya
Waidner, Michael
contents Recent works showed that it is feasible to hijack resources on cloud platforms. In such hijacks, attackers can take over released resources that belong to legitimate organizations. It was proposed that adversaries could abuse these resources to carry out attacks against customers of the hijacked services, e.g., through malware distribution. However, to date, no research has confirmed the existence of these attacks. We identify, for the first time, real-life hijacks of cloud resources. This yields a number of surprising and important insights. First, contrary to previous assumption that attackers primarily target IP addresses, our findings reveal that the type of resource is not the main consideration in a hijack. Attackers focus on hijacking records that allow them to determine the resource by entering freetext. The costs and overhead of hijacking such records are much lower than those of hijacking IP addresses, which are randomly selected from a large pool. Second, identifying hijacks poses a substantial challenge. Monitoring resource changes, e.g., changes in content, is insufficient, since such changes could also be legitimate. Retrospective analysis of digital assets to identify hijacks is also arduous due to the immense volume of data involved and the absence of indicators to search for. To address this challenge, we develop a novel approach that involves analyzing data from diverse sources to effectively differentiate between malicious and legitimate modifications. Our analysis has revealed 20,904 instances of hijacked resources on popular cloud platforms. While some hijacks are short-lived (up to 15 days), 1/3 persist for more than 65 days. We study how attackers abuse the hijacked resources and find that, in contrast to the threats considered in previous work, the majority of the abuse (75%) is blackhat search engine optimization.
format Preprint
id arxiv_https___arxiv_org_abs_2403_19368
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle Cloudy with a Chance of Cyberattacks: Dangling Resources Abuse on Cloud Platforms
Frieß, Jens
Gattermayer, Tobias
Gelernter, Nethanel
Schulmann, Haya
Waidner, Michael
Networking and Internet Architecture
Cryptography and Security
Recent works showed that it is feasible to hijack resources on cloud platforms. In such hijacks, attackers can take over released resources that belong to legitimate organizations. It was proposed that adversaries could abuse these resources to carry out attacks against customers of the hijacked services, e.g., through malware distribution. However, to date, no research has confirmed the existence of these attacks. We identify, for the first time, real-life hijacks of cloud resources. This yields a number of surprising and important insights. First, contrary to previous assumption that attackers primarily target IP addresses, our findings reveal that the type of resource is not the main consideration in a hijack. Attackers focus on hijacking records that allow them to determine the resource by entering freetext. The costs and overhead of hijacking such records are much lower than those of hijacking IP addresses, which are randomly selected from a large pool. Second, identifying hijacks poses a substantial challenge. Monitoring resource changes, e.g., changes in content, is insufficient, since such changes could also be legitimate. Retrospective analysis of digital assets to identify hijacks is also arduous due to the immense volume of data involved and the absence of indicators to search for. To address this challenge, we develop a novel approach that involves analyzing data from diverse sources to effectively differentiate between malicious and legitimate modifications. Our analysis has revealed 20,904 instances of hijacked resources on popular cloud platforms. While some hijacks are short-lived (up to 15 days), 1/3 persist for more than 65 days. We study how attackers abuse the hijacked resources and find that, in contrast to the threats considered in previous work, the majority of the abuse (75%) is blackhat search engine optimization.
title Cloudy with a Chance of Cyberattacks: Dangling Resources Abuse on Cloud Platforms
topic Networking and Internet Architecture
Cryptography and Security
url https://arxiv.org/abs/2403.19368