“Compromised legitimate corporate assets can be infiltrated and abused whether on-premise or in the cloud. A good rule of thumb is that whatever is most exposed is most likely to be exploited.”Tweet
In its latest research, cybersecurity solutions firm Trend Micro found out that believed to be ultra-secure on-premise (on-prem) servers have been abused by cybercriminals along with other cloud-based servers. The servers are being “rented out” where criminals earn.
This is one of the major findings in Trend Micro’s second of a three-part report series which is looking into the activities of the “underground market.” The firm also flags organizations’ IT people to keep an eye on cybercriminals’ cryptocurrency mining activity. The research found idle servers are being injected with mining software while hackers “plot larger money-making schemes.”
Trend Micro discovered criminals mine valuable data and sell server access which they would use for future attacks. In other words, the servers are used like a warehouse where they keep their malicious software to be used for say, ransomware attacks.
The report also covers emerging trends for underground infrastructure services, including abuse of telephony services and satellite infrastructure, and “parasitic” computing for rent including hidden RDP and VNC.
“From dedicated bulletproof hosting to anonymizing services, domain name provision, and compromised legitimate assets, the cybercriminal underground boasts a sophisticated range of infrastructure offerings to support monetization campaigns of all types,” said Bob McArdle, director of forward-looking threat research for Trend Micro in a media alert. “Our goal is to raise awareness and understanding of cybercriminal infrastructure to help law enforcement agencies, customers, and other researchers block avenues for cybercrime and drive costs up for threat actors.”
The report lists the main underground hosting services available today, providing technical details of how they work and how criminals use them to run their businesses. This includes a detailed description of the typical lifecycle of a compromised server, from initial compromise to final attack.
It is no secret that the cloud server is vulnerable to attacks but criminals have been abusing its vulnerabilities.
“Compromised legitimate corporate assets can be infiltrated and abused whether on-premise or in the cloud. A good rule of thumb is that whatever is most exposed is most likely to be exploited,” McArdle said.
Trend Micro said cybercriminals might look to exploit vulnerabilities in server software, use brute-force attacks to compromise credentials, or steal logins and deploy malware via phishing attacks. They may even target infrastructure management software (cloud API keys), which allows them to create new instances of virtual machines or supply resources. Once compromised, these cloud server assets could be sold on underground forums, dedicated marketplaces, and even social networks for use in a range of attacks.